CVE-2026-42557— JupyterLab 跨站脚本漏洞

jupyterlab: Command linker attributes in HTML enable one-click command execution from untrusted content

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user. This vulnerability is fixed in 4.5.7.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

JupyterLab 跨站脚本漏洞

JupyterLab是JupyterLab开源的一个用于交互式和可重复计算的可扩展环境，基于 Jupyter Notebook 和架构。 jupyterlab 4.5.7之前版本存在跨站脚本漏洞，该漏洞源于HTML清理器允许data-commandlinker-command和data-commandlinker-args属性，且CommandLinker监听所有点击事件，可能导致恶意笔记本单元格输出触发任意JupyterLab命令。

N/A

N/A