CVE-2026-40171— Jupyter Notebook and JupyterLab token theft via stored XSS in help command linker
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40171
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Jupyter Notebook and JupyterLab token theft via stored XSS in help command linker
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Jupyter多款产品 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Jupyter Notebook是Project Jupyter开源的一套用于创建、共享代码和说明性文本文档的开源Web应用程序。JupyterLab是JupyterLab开源的一个用于交互式和可重复计算的可扩展环境,基于 Jupyter Notebook 和架构。 Jupyter多款产品存在跨站脚本漏洞,该漏洞源于帮助命令链接器存在存储型跨站脚本,可能导致攻击者通过恶意笔记本文件窃取身份验证令牌并完全接管Jupyter会话。以下产品及版本受到影响:Jupyter Notebook 7.0.0至7.5.5
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| jupyter | notebook | >=7.0.0, <= 7.5.5 | - | |
| jupyterlab | help-extension | <=4.5.6 | - | |
| jupyterlab | jupyterlab | <= 4.5.6 | - | |
| jupyter-notebook | help-extension | >=7.0.0,<= 7.5.5 | - |
II. Public POCs for CVE-2026-40171
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40171
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: jupyter
- CVE-2026-39378
nbconvert has an Arbitrary File Read via Path Traversal in H - CVE-2026-39377
nbconvert has an Arbitrary File Write via Path Traversal in - CVE-2025-53000
nbconvert has an uncontrolled search path that leads to unau - CVE-2025-30167
Jupyter Core on Windows Has Uncontrolled Search Path Element - CVE-2025-23205
`frame-ancestors: self` grants all users access to formgrade
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2026-40171
No comments yet