PYSEC-2026-1707

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/notebook/PYSEC-2026-1707.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1707
Aliases
Published
2026-07-07T11:45:30.804450Z
Modified
2026-07-07T17:57:29.732463002Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
JupyterLab vulnerable to SXSS in Markdown Preview
Details

Impact

The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature.

A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user.

Patches

JupyterLab v4.0.11 was patched.

Workarounds

Users can either disable the table of contents extension by running:

jupyter labextension disable @jupyterlab/toc-extension:registry

References

Vulnerability reported via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.

References

Affected packages

PyPI / notebook

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.7

Affected versions

7.*
7.0.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
7.0.6

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/notebook/PYSEC-2026-1707.yaml"