CVE-2026-42266
CVE-2026-42266
8.8
HighPublished:
Last updated:
Source:security-advisories@github.com
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.
References
security-advisories@github.com
https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.7security-advisories@github.com
https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-37w4-hwhx-4rc4security-advisories@github.com
https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.htmlsecurity-advisories@github.com
https://jupyterlab.readthedocs.io/en/latest/user/extensions.html#extension-manager-implementations