JupyterLab Support & Health

GHSA-37w4-hwhx-4rc4 CVSS_V3

JupyterHub has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request

Published: 2026-05-05 Fixed in: 4.5.7

GHSA-44cc-43rp-5947 CVSS_V3

JupyterLab vulnerable to potential authentication and CSRF tokens leak

Published: 2024-01-19 Fixed in: 4.0.11

GHSA-4952-p58q-6crx CVSS_V3

JupyterLab: XSS due to lack of sanitization of the action attribute of an html <form>

Published: 2021-08-23 Fixed in: 1.2.21

GHSA-4m77-cmpx-vjc4 CVSS_V3

JupyterLab vulnerable to SXSS in Markdown Preview

Published: 2024-01-19 Fixed in: 4.0.11

GHSA-9q39-rmj3-p4r2 CVSS_V3

HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering

Published: 2024-08-29 Fixed in: 3.6.8

GHSA-mqcg-5x36-vfcg CVSS_V4

JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content

Published: 2026-05-06 Fixed in: 4.5.7

GHSA-rch3-82jr-f9w9 CVSS_V4

Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS

Published: 2026-04-30 Fixed in: 7.5.6

GHSA-vvfj-2jqx-52jm CVSS_V4

JupyterLab LaTeX typesetter links did not enforce `noopener` attribute

Published: 2025-09-26 Fixed in: 4.4.8

PYSEC-2021-130 Unknown

Published: 2021-08-09 Fixed in: 504825938c0abfa2fb8ff8d529308830a5ae42ed

JupyterLab