CVE-2026-54527

Name of the Vulnerable Software and Affected Versions jupyterlab-git (affected versions not specified)

Description A stored cross-site scripting (XSS) issue exists in the PlainTextDiff.ts component of the jupyterlab-git extension. The createHeader() function passes Git filenames directly to innerHTML without sanitization when rendering diffs for renamed files in the commit history. An attacker with commit access to a shared Git repository can create a file with a crafted filename containing a JavaScript payload and rename it in a subsequent commit. When a victim views the rename diff in the Git History tab, the payload executes in their browser session. This can be leveraged to read the xsrf cookie, open a terminal via the '/api/terminals' endpoint, and execute arbitrary shell commands, resulting in remote code execution (RCE) to exfiltrate secrets or credentials.

Recommendations As a temporary workaround, restrict access to shared Git repositories from untrusted contributors to minimize the risk of exploitation. In the createHeader() function of PlainTextDiff.ts, replace the use of innerHTML with textContent for filename rendering or apply proper HTML sanitization to escape characters such as <, >, &, ", and ' before inserting filenames into the DOM.