{"data":{"id":"13bde615-c700-4b09-8e61-2c9f5f0b580a","title":"GHSA-rch3-82jr-f9w9: Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS","summary":"Jupyter Notebook has a stored XSS (cross-site scripting, a type of attack where malicious code runs in a user's browser when they view a webpage or file) vulnerability that lets attackers steal authentication tokens (credentials that prove who you are) by tricking users into clicking fake controls in malicious notebook files. An attacker who steals these tokens can take over a user's account, read files, run code, and access the system.","solution":"Update to Jupyter Notebook 7.5.6 or JupyterLab 4.5.7, which include patches. As a temporary workaround, disable the help extension by running: `jupyter labextension disable @jupyter-notebook/help-extension` and `jupyter labextension disable @jupyterlab/help-extension`. For additional hardening, disable command linker functionality by adding this to `overrides.json`: `{\"@jupyterlab/apputils-extension:sanitizer\": {\"allowCommandLinker\": false}}`.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-rch3-82jr-f9w9","publishedAt":"2026-04-30T17:25:47.000Z","cveId":"CVE-2026-40171","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["jailbreak"],"issueType":"vulnerability","affectedPackages":["@jupyterlab/help-extension@<= 4.5.6 (fixed: 4.5.7)","jupyterlab@<= 4.5.6 (fixed: 4.5.7)","notebook@>= 7.0.0, <= 7.5.5 (fixed: 7.5.6)","@jupyter-notebook/help-extension@>= 7.0.0, <= 7.5.5 (fixed: 7.5.6)"],"affectedVendors":[],"affectedVendorsRaw":["Jupyter Notebook","JupyterLab"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-30T17:25:47.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":["AML.T0054"]}}