Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS

Severity:: High

Description

A stored Cross-Site Scripting (XSS) vulnerability in Jupyter Notebook allows attackers to steal authentication tokens from users who open malicious notebook files and interact with elements that the attacker can make look indistinguishable from legitimate controls (single click interaction).

Recommendation

Update the @jupyterlab/help-extension package to the latest compatible version. Followings are version details:

Affected version(s): <= 4.5.6
Patched version(s): 4.5.7

References

GHSA-rch3-82jr-f9w9
jupyterlab.readthedocs.io
CVE-2026-40171
CWE-601
CWE-79
CAPEC-310
OWASP 2021-A1
OWASP 2021-A3
OWASP 2021-A6

Related Issues

HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft - CVE-2026-46496
defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag - CVE-2026-30830
Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter - CVE-2026-30965

How do hackers hack websites?

How to Secure your NodeJs Express Javascript Application - part 1

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:: npm; @jupyterlab/help-extension

Anything's wrong? Let us know Last updated on May 08, 2026