CVE-2026-42266HIGH 8.8EPSS p38.0%

CVE-2026-42266CVE-2026-42266

Description

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced by JupyterLab. The PyPI Extension Manager was not contained to packages listed on the default PyPI index. This vulnerability is fixed in 4.5.7.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.49% probability of exploitation · percentile 38.0% · 2026-06-18T12:00:27Z
Published2026-05-13
Last modified2026-05-26

Underlying weaknesses· 2

CWE-88CWE-602

References

  1. https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.7
  2. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-37w4-hwhx-4rc4
  3. https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html
  4. https://jupyterlab.readthedocs.io/en/latest/user/extensions.html#extension-manager-implementations

2

TypeTargetConfidenceTier
WeaknessClient-Side Enforcement of Server-Side Securitycwe-6020%live
WeaknessImproper Neutralization of Argument Delimiters in a Command ('Argument Injection')cwe-880%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-42557
CVE
CVE-2026-49384
CVE
CVE-2026-6657
CVE
CVE-2026-40864
CVE
CVE-2026-5422
CVE
CVE-2026-35397
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.