PYSEC-2026-688

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/notebook/PYSEC-2026-688.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-688
Aliases
Published
2026-07-02T14:13:10.480332Z
Modified
2026-07-06T08:11:30.661358280Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
Summary
JupyterLab: XSS due to lack of sanitization of the action attribute of an html <form>
Details

Impact

Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.

Patches

Patched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21.

References

OWASP Page on Restricting Form Submissions

For more information

If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list security@ipython.org.

Credit: Guillaume Jeanne from Google

References

Affected packages

PyPI / notebook

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.7.11
Introduced
6.0.0
Fixed
6.4.1

Affected versions

0.*
0.0.0
4.*
4.0.0
4.0.1
4.0.2
4.0.4
4.0.5
4.0.6
4.1.0
4.2.0b1
4.2.0
4.2.1
4.2.2
4.2.3
4.3.0
4.3.1
4.3.2
4.4.0
4.4.1
5.*
5.0.0b1
5.0.0b2
5.0.0rc1
5.0.0rc2
5.0.0
5.1.0rc1
5.1.0rc2
5.1.0rc3
5.1.0
5.2.0rc1
5.2.0
5.2.1rc1
5.2.1
5.2.2
5.3.0rc1
5.3.0
5.3.1
5.4.0
5.4.1
5.5.0rc1
5.5.0
5.6.0rc1
5.6.0
5.7.0
5.7.1
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.8
5.7.9
5.7.10
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.1.0rc1
6.1.0
6.1.1
6.1.2
6.1.3
6.1.4
6.1.5
6.1.6
6.2.0
6.3.0
6.4.0a0
6.4.0a1
6.4.0rc0
6.4.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/notebook/PYSEC-2026-688.yaml"