8.8
CVE-2026-42266
- EPSS 0.53%
- Veröffentlicht 13.05.2026 15:08:49
- Zuletzt bearbeitet 06.07.2026 13:16:54
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
JupyterLab has an Extension Manager API/GUI Policy Discrepancy allowing 3rd party (malicious) extensions install via POST request.
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Jupyter ≫ Jupyterlab Version >= 4.0.0 < 4.5.7
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.53% | 0.407 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-602 Client-Side Enforcement of Server-Side Security
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-37w4-hwhx-4rc4
https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.7
https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html
https://jupyterlab.readthedocs.io/en/latest/user/extensions.html#extension-manager-implementations
https://access.redhat.com/security/cve/CVE-2026-42266
https://bugzilla.redhat.com/show_bug.cgi?id=2477072
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42266.json