EXECUTIVE SUMMARY:
CVE-2026-40171 with a CVSS score of 8.4 is a stored Cross-Site Scripting vulnerability in Jupyter Notebook, allowing attackers to steal authentication tokens from users who open malicious notebook files and interact with elements that the attacker can make look indistinguishable from legitimate controls through a single click interaction. This vulnerability affects Jupyter Notebook 7.5.6 and JupyterLab 4.5.7, enabling complete account takeover through the Jupyter REST API, allowing the attacker to access running kernels and execute arbitrary code. An attacker can exploit this vulnerability by opening a malicious notebook file, requiring no prior access to the system, and gaining the capability to execute arbitrary code on the victim's system. The business impact and consequences of exploitation include complete account takeover and unauthorized access to sensitive data, potentially leading to significant financial and reputational damage.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-40171 with a CVSS score of 8.4 is a stored Cross-Site Scripting vulnerability in Jupyter Notebook, allowing attackers to steal authentication tokens from users who open malicious notebook files and interact with elements that the attacker can make look indistinguishable from legitimate controls through a single click interaction. This vulnerability affects Jupyter Notebook 7.5.6 and JupyterLab 4.5.7, enabling complete account takeover through the Jupyter REST API, allowing the attacker to access running kernels and execute arbitrary code. An attacker can exploit this vulnerability by opening a malicious notebook file, requiring no prior access to the system, and gaining the capability to execute arbitrary code on the victim's system. The business impact and consequences of exploitation include complete account takeover and unauthorized access to sensitive data, potentially leading to significant financial and reputational damage.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-rch3-82jr-f9w9