Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/notebook@7.2.0rc0

Type pypi

Namespace

Name notebook

Version 7.2.0rc0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 7.5.6

Latest_non_vulnerable_version 7.6.0a0

Affected_by_vulnerabilities

url VCID-6ru3-na8t-nuab

vulnerability_id VCID-6ru3-na8t-nuab

summary

HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering
The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature.

A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-43805

reference_id

reference_type

scores

value	0.00428
scoring_system	epss
scoring_elements	0.62821
published_at	2026-06-08T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.62835
published_at	2026-06-07T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.62844
published_at	2026-06-06T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.62836
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-43805

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/jupyterlab/jupyterlab

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterlab/jupyterlab

reference_url

https://github.com/jupyterlab/jupyterlab/commit/06ad9de836f155add7d3d651ef936cc4c5ea8093

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterlab/jupyterlab/commit/06ad9de836f155add7d3d651ef936cc4c5ea8093

reference_url

https://github.com/jupyterlab/jupyterlab/commit/88e24baac551196f9cb3de16bd060a7ab1597674

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterlab/jupyterlab/commit/88e24baac551196f9cb3de16bd060a7ab1597674

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082871
reference_id	1082871
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082871

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-43805

reference_id

CVE-2024-43805

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-43805

reference_url

https://github.com/advisories/GHSA-9q39-rmj3-p4r2

reference_id

GHSA-9q39-rmj3-p4r2

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9q39-rmj3-p4r2

reference_url

https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2

reference_id

GHSA-9q39-rmj3-p4r2

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-28T19:58:47Z/

url

https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2

fixed_packages

url pkg:pypi/notebook@7.2.2

purl pkg:pypi/notebook@7.2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kfax-86fe-pkfw

vulnerability	VCID-x1da-f4dw-tua8

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/notebook@7.2.2

aliases CVE-2024-43805, GHSA-9q39-rmj3-p4r2

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6ru3-na8t-nuab

url VCID-kfax-86fe-pkfw

vulnerability_id VCID-kfax-86fe-pkfw

summary In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-40171

reference_id

reference_type

scores

value	0.00054
scoring_system	epss
scoring_elements	0.17176
published_at	2026-06-05T12:55:00Z

value	0.00054
scoring_system	epss
scoring_elements	0.17171
published_at	2026-06-06T12:55:00Z

value	0.00059
scoring_system	epss
scoring_elements	0.18599
published_at	2026-06-07T12:55:00Z

value	0.00059
scoring_system	epss
scoring_elements	0.18517
published_at	2026-06-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-40171

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40171
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40171

reference_url

https://github.com/jupyter/notebook

reference_id

reference_type

scores

value	8.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyter/notebook

reference_url

https://github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9

reference_id

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-07T12:24:07Z/

url

https://github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9

reference_url

https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-output-and-files

reference_id

reference_type

scores

value	8.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-output-and-files

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-40171

reference_id

reference_type

scores

value	8.4
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-40171

reference_url

https://github.com/advisories/GHSA-rch3-82jr-f9w9

reference_id

GHSA-rch3-82jr-f9w9

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-rch3-82jr-f9w9

fixed_packages

url	pkg:pypi/notebook@7.5.6
purl	pkg:pypi/notebook@7.5.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/notebook@7.5.6

url	pkg:pypi/notebook@7.6.0a0
purl	pkg:pypi/notebook@7.6.0a0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/notebook@7.6.0a0

aliases CVE-2026-40171, GHSA-rch3-82jr-f9w9

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kfax-86fe-pkfw

url VCID-x1da-f4dw-tua8

vulnerability_id VCID-x1da-f4dw-tua8

summary jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all click events on document.body and executes the named command without checking whether the element came from trusted JupyterLab UI. A notebook with a pre-saved HTML cell output containing a deceptive button can trigger arbitrary JupyterLab commands - including arbitrary code execution - on a single user click, without any code being submitted for execution by the user. This vulnerability is fixed in 4.5.7.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-42557

reference_id

reference_type

scores

value	0.00061
scoring_system	epss
scoring_elements	0.19357
published_at	2026-06-05T12:55:00Z

value	0.00061
scoring_system	epss
scoring_elements	0.19353
published_at	2026-06-06T12:55:00Z

value	0.00079
scoring_system	epss
scoring_elements	0.23411
published_at	2026-06-08T12:55:00Z

value	0.00079
scoring_system	epss
scoring_elements	0.23466
published_at	2026-06-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-42557

reference_url

https://github.com/jupyterlab/jupyterlab

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterlab/jupyterlab

reference_url

https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-mqcg-5x36-vfcg

reference_id

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-14T17:57:35Z/

url

https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-mqcg-5x36-vfcg

reference_url

https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-files

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-files

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-42557

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-42557

reference_url

https://github.com/advisories/GHSA-mqcg-5x36-vfcg

reference_id

GHSA-mqcg-5x36-vfcg

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mqcg-5x36-vfcg

fixed_packages

url	pkg:pypi/notebook@7.5.6
purl	pkg:pypi/notebook@7.5.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/notebook@7.5.6

aliases CVE-2026-42557, GHSA-mqcg-5x36-vfcg

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x1da-f4dw-tua8

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/notebook@7.2.0rc0

Package Instance