Skip to main content

jupyterlab-git CVE-2026-54527

| EUVDEUVD-2026-42428 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-06-19 https://github.com/jupyterlab/jupyterlab-git GHSA-f962-v9hr-pfg5
9.3
CVSS 4.0 · Vendor: https://github.com/jupyterlab/jupyterlab-git
Share

Severity by source

Vendor (https://github.com/jupyterlab/jupyterlab-git) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.0 CRITICAL

Attacker needs repo commit access (PR:L) and victim must click through the rename diff (UI:R); browser XSS pivots to server terminal RCE, a scope change (S:C) with full C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (https://github.com/jupyterlab/jupyterlab-git).

CVSS VectorVendor: https://github.com/jupyterlab/jupyterlab-git

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jul 08, 2026 - 21:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 08, 2026 - 21:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
Jul 08, 2026 - 21:22 NVD
9.3 (CRITICAL)
Source Code Evidence Fetched
Jun 19, 2026 - 21:25 vuln.today
Analysis Generated
Jun 19, 2026 - 21:25 vuln.today

DescriptionCVE.org

Overview

Amazon Web Services (AWS) Security has identified a stored cross-site scripting (XSS) issue in the jupyterlab-git JupyterLab extension that can lead to remote code execution (RCE). The issue exists in the PlainTextDiff.ts component, where the createHeader() method passes Git filenames directly to innerHTML without sanitization when rendering diffs for renamed files in commit history. This allows an adversary to craft a filename containing arbitrary HTML/JavaScript that executes when another user views the rename diff in the Git History tab.

The issue can be leveraged through the rename history view in the JupyterLab Git panel. An adversary creates a file with a crafted filename containing a JavaScript payload (e.g., <img src=x onerror=eval(atob("base64_payload"))>.py), renames the file in a subsequent commit, and pushes to a shared repository. When a victim clones the repository, navigates to the Git History tab, clicks the rename commit, and then clicks the renamed file to view the diff, the unsanitized filename renders via innerHTML, executing arbitrary JavaScript in the victim's browser session. The injected JavaScript reads the xsrf cookie, opens a JupyterLab terminal via POST /api/terminals, connects via WebSocket, and executes arbitrary shell commands - achieving full RCE. An adversary can leverage this to exfiltrate secrets or credentials from the victim's environment.

Scope of impact

We discovered this issue during internal security testing. The issue is present in the default configuration of JupyterLab when the jupyterlab-git extension is installed.

The attack requires:

  • The adversary to have commit access to a Git repository that the victim has cloned
  • The victim to navigate to the Git History tab, click the rename commit, and click the renamed file to view the diff

The issue could allow an actor who has access to a shared Git repository to execute arbitrary JavaScript in another user's JupyterLab environment by committing a file with a crafted filename, potentially leading to remote code execution with access to user code, data, environment variables, and credentials.

Proof of concept

The issue exists in the createHeader() method where filenames from rename history are passed directly to innerHTML without sanitization:

[1] https://github.com/jupyterlab/jupyterlab-git/blob/main/src/components/diff/PlainTextDiff.ts#L214

Attack flow:

  1. An adversary creates a file with a crafted filename containing a JavaScript payload, e.g., <img src=x onerror=eval(atob("base64_payload"))>.py
  2. The adversary renames the file in a subsequent commit and pushes both commits to a shared Git repository
  3. The victim clones or pulls the repository and navigates to the Git History tab in JupyterLab
  4. The victim clicks the rename commit, then clicks the renamed file to view the diff
  5. The createHeader() method constructs a diff header using string concatenation with the unsanitized filename and assigns the result to innerHTML
  6. The injected JavaScript executes in the victim's browser session, reads the _xsrf cookie, sends a POST request to /api/terminals to open a JupyterLab terminal, connects via WebSocket, and executes arbitrary shell commands

Proof-of-concept mitigation

The issue can be mitigated by replacing innerHTML with textContent for filename rendering in the createHeader() method of PlainTextDiff.ts. Alternatively, proper HTML sanitization (escaping <, >, &, ", ') can be applied before inserting user-controlled filenames into the DOM.

AnalysisAI

Stored cross-site scripting in the jupyterlab-git extension (versions 0.30.0b3 through 0.53.x) escalates to remote code execution when a victim views a rename diff in the Git History tab. The PlainTextDiff.ts createHeader() method injects unsanitized Git filenames into innerHTML, so a filename such as <img src=x onerror=eval(atob(...))>.py fires JavaScript that reads the _xsrf cookie, spawns a JupyterLab terminal via POST /api/terminals, and runs arbitrary shell commands. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain commit access to shared repo
Delivery
Commit file with XSS-crafted filename
Exploit
Push rename commit to repo
Install
Victim opens rename diff in Git History
C2
innerHTML executes injected JavaScript
Execute
Script opens terminal via /api/terminals
Impact
Run shell commands, exfiltrate credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires the adversary to have commit/push access to a Git repository that the victim has cloned into a JupyterLab environment with jupyterlab-git installed (default config once installed), and the crafted payload must be placed in a filename that is then renamed in a subsequent commit so it appears in rename history. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (9.3, AV:N/AC:L/AT:N/PR:L/UI:A with high impact to both vulnerable and subsequent systems) is credible: the attacker needs commit access to a shared repo (PR:L) and the victim must actively click through to the rename diff (UI:A), but the payoff is full high-impact compromise including a scope change to the server environment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with commit rights to a shared or collaborative repository adds a file named like <img src=x onerror=eval(atob("..."))>.py and renames it in a later commit, then pushes both commits. A data scientist pulls the repo in JupyterLab, opens the Git History tab, clicks the rename commit, and clicks the renamed file to view the diff; the payload executes in their session, opens a terminal via /api/terminals, and runs shell commands to exfiltrate environment variables and credentials. …
Remediation Vendor-released patch: upgrade to jupyterlab-git 0.54.0 (pip jupyterlab-git / jupyterlab-git-core and npm @jupyterlab/git all fixed at 0.54.0); the fix is in commit c6d37b88f36aa59aee317930b95e427fb9d6b09b and release https://github.com/jupyterlab/jupyterlab-git/releases/tag/v0.54.0, which replaces innerHTML rendering with textContent in PlainTextDiff.ts and NotebookDiff.ts. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all JupyterLab deployments and identify instances running jupyterlab-git extension versions 0.30.0b3-0.53.x. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54527 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy