CVE-2026-40171

Name of the Vulnerable Software and Affected Versions Jupyter Notebook versions prior to 7.5.6 JupyterLab versions prior to 4.5.7

Description A stored Cross-Site Scripting (XSS) issue allows attackers to steal authentication tokens from users who open malicious notebook files and interact with elements designed to look like legitimate controls. This can lead to complete account takeover via the Jupyter REST API, enabling the attacker to read, modify, or create files, access running kernels to execute arbitrary code, and create terminals for shell access.

Recommendations Update Jupyter Notebook to version 7.5.6. Update JupyterLab to version 4.5.7. Disable the help extension via CLI using jupyter labextension disable @jupyter-notebook/help-extension and jupyter labextension disable @jupyterlab/help-extension. Disable the command linker functionality in overrides.json by setting @jupyterlab/apputils-extension:sanitizer with allowCommandLinker set to false.