EXECUTIVE SUMMARY:
CVE-2026-42557 with a CVSS score of 8.6 is a high severity vulnerability affecting JupyterLab's command linker attributes in HTML, enabling one-click command execution from untrusted content. The affected software includes jupyterlab versions less than or equal to 4.5.6 and notebook versions greater than or equal to 7.0.0 and less than or equal to 7.5.5. An attacker can exploit this vulnerability by sharing a notebook or Markdown file containing a deceptive button, which, upon a single click by the victim, can invoke an arbitrary command without code submission. This allows the attacker to execute arbitrary code in available kernels, delete files leading to information loss, and open multiple kernels or create multiple files at once, impacting availability on Jupyter-server deployments. The arbitrary code execution is immediately visible to the user, while file deletion can be silent and unnoticed for some time. Users of Chromium-based browsers are susceptible to a multi-click attack variant that grants full access to the terminal and executes arbitrary commands with expanded access scope.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-42557 with a CVSS score of 8.6 is a high severity vulnerability affecting JupyterLab's command linker attributes in HTML, enabling one-click command execution from untrusted content. The affected software includes jupyterlab versions less than or equal to 4.5.6 and notebook versions greater than or equal to 7.0.0 and less than or equal to 7.5.5. An attacker can exploit this vulnerability by sharing a notebook or Markdown file containing a deceptive button, which, upon a single click by the victim, can invoke an arbitrary command without code submission. This allows the attacker to execute arbitrary code in available kernels, delete files leading to information loss, and open multiple kernels or create multiple files at once, impacting availability on Jupyter-server deployments. The arbitrary code execution is immediately visible to the user, while file deletion can be silent and unnoticed for some time. Users of Chromium-based browsers are susceptible to a multi-click attack variant that grants full access to the terminal and executes arbitrary commands with expanded access scope.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update jupyterlab to version 4.5.7 and notebook to version 7.5.6.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-mqcg-5x36-vfcg