Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/notebook@7.2.0rc1

Type pypi

Namespace

Name notebook

Version 7.2.0rc1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 7.5.6

Latest_non_vulnerable_version 7.6.0a0

Affected_by_vulnerabilities

url VCID-9ch7-su6u-b3ft

vulnerability_id VCID-9ch7-su6u-b3ft

summary

In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click.

An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-40171

reference_id

reference_type

scores

value	0.00059
scoring_system	epss
scoring_elements	0.18772
published_at	2026-06-14T12:55:00Z

value	0.00059
scoring_system	epss
scoring_elements	0.18616
published_at	2026-06-11T12:55:00Z

value	0.00059
scoring_system	epss
scoring_elements	0.18796
published_at	2026-06-13T12:55:00Z

value	0.00059
scoring_system	epss
scoring_elements	0.18779
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-40171

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40171
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40171

reference_url

https://github.com/jupyter/notebook

reference_id

reference_type

scores

value	8.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyter/notebook

reference_url

https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-output-and-files

reference_id

reference_type

scores

value	8.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-output-and-files

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-40171

reference_id

reference_type

scores

value	8.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-40171

reference_url

https://github.com/advisories/GHSA-rch3-82jr-f9w9

reference_id

GHSA-rch3-82jr-f9w9

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-rch3-82jr-f9w9

reference_url

https://github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9

reference_id

GHSA-rch3-82jr-f9w9

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T12:24:07Z/

url

https://github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9

fixed_packages

url	pkg:pypi/notebook@7.5.6
purl	pkg:pypi/notebook@7.5.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/notebook@7.5.6

url	pkg:pypi/notebook@7.6.0a0
purl	pkg:pypi/notebook@7.6.0a0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/notebook@7.6.0a0

aliases CVE-2026-40171, GHSA-rch3-82jr-f9w9

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9ch7-su6u-b3ft

url VCID-pjk6-29bj-4kg1

vulnerability_id VCID-pjk6-29bj-4kg1

summary jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user. This vulnerability is fixed in 4.5.7.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-42557

reference_id

reference_type

scores

value	0.00079
scoring_system	epss
scoring_elements	0.23455
published_at	2026-06-11T12:55:00Z

value	0.00079
scoring_system	epss
scoring_elements	0.23661
published_at	2026-06-13T12:55:00Z

value	0.00079
scoring_system	epss
scoring_elements	0.23651
published_at	2026-06-12T12:55:00Z

value	0.00086
scoring_system	epss
scoring_elements	0.25003
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-42557

reference_url

https://github.com/jupyterlab/jupyterlab

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterlab/jupyterlab

reference_url

https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-files

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-files

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-42557

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-42557

reference_url

https://github.com/advisories/GHSA-mqcg-5x36-vfcg

reference_id

GHSA-mqcg-5x36-vfcg

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mqcg-5x36-vfcg

reference_url

https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-mqcg-5x36-vfcg

reference_id

GHSA-mqcg-5x36-vfcg

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-14T17:57:35Z/

url

https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-mqcg-5x36-vfcg

fixed_packages

url	pkg:pypi/notebook@7.5.6
purl	pkg:pypi/notebook@7.5.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/notebook@7.5.6

aliases CVE-2026-42557, GHSA-mqcg-5x36-vfcg

risk_score 4.3

exploitability 0.5

weighted_severity 8.6

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pjk6-29bj-4kg1

url VCID-zvjv-zb1q-bqdm

vulnerability_id VCID-zvjv-zb1q-bqdm

summary

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-43805

reference_id

reference_type

scores

value	0.00428
scoring_system	epss
scoring_elements	0.62901
published_at	2026-06-11T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.63011
published_at	2026-06-14T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.63015
published_at	2026-06-13T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.63003
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-43805

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/jupyterlab/jupyterlab

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterlab/jupyterlab

reference_url

https://github.com/jupyterlab/jupyterlab/commit/06ad9de836f155add7d3d651ef936cc4c5ea8093

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterlab/jupyterlab/commit/06ad9de836f155add7d3d651ef936cc4c5ea8093

reference_url

https://github.com/jupyterlab/jupyterlab/commit/88e24baac551196f9cb3de16bd060a7ab1597674

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterlab/jupyterlab/commit/88e24baac551196f9cb3de16bd060a7ab1597674

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082871
reference_id	1082871
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082871

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-43805

reference_id

CVE-2024-43805

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-43805

reference_url

https://github.com/advisories/GHSA-9q39-rmj3-p4r2

reference_id

GHSA-9q39-rmj3-p4r2

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9q39-rmj3-p4r2

reference_url

https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2

reference_id

GHSA-9q39-rmj3-p4r2

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-28T19:58:47Z/

url

https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2

fixed_packages

url pkg:pypi/notebook@7.2.2

purl pkg:pypi/notebook@7.2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9ch7-su6u-b3ft

vulnerability	VCID-pjk6-29bj-4kg1

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/notebook@7.2.2

aliases CVE-2024-43805, GHSA-9q39-rmj3-p4r2

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zvjv-zb1q-bqdm

Fixing_vulnerabilities

Risk_score 4.3

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/notebook@7.2.0rc1

Package Instance