PYSEC-2026-164

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/jupyterlab/PYSEC-2026-164.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-164

Aliases

Published

2026-05-13T16:16:47.017Z

Modified

2026-05-27T13:56:09.132550385Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowedextensionsuris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.

References

Affected packages

PyPI / jupyterlab

Package

Name: jupyterlab; View open source insights on deps.dev
Purl: pkg:pypi/jupyterlab

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.5.7

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.11

4.0.12

4.0.13

4.1.0a1

4.1.0a2

4.1.0a3

4.1.0a4

4.1.0b0

4.1.0b1

4.1.0b2

4.1.0rc0

4.1.0rc1

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.2.0a0

4.2.0a1

4.2.0a2

4.2.0b0

4.2.0b1

4.2.0b2

4.2.0b3

4.2.0rc0

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.3.0a0

4.3.0a1

4.3.0a2

4.3.0b0

4.3.0b1

4.3.0b2

4.3.0b3

4.3.0rc0

4.3.0rc1

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

4.3.8

4.4.0a0

4.4.0a1

4.4.0a2

4.4.0a3

4.4.0b0

4.4.0b1

4.4.0b2

4.4.0rc0

4.4.0rc1

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

4.4.10

4.5.0a0

4.5.0a1

4.5.0a2

4.5.0a3

4.5.0a4

4.5.0b0

4.5.0b1

4.5.0rc0

4.5.0rc1

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/jupyterlab/PYSEC-2026-164.yaml"