CVE-2026-54527

JupyterLab · jupyterlab-git

JupyterLab Git is vulnerable to stored Cross-site Scripting (XSS) via crafted filenames, allowing JavaScript execution when a victim views the rename diff in the Git History tab.

Executive summary

A stored Cross-site Scripting (XSS) vulnerability in the jupyterlab-git extension allows attackers to execute arbitrary JavaScript in the context of a victim's session.

Vulnerability

The PlainTextDiff.ts component fails to properly sanitize Git filenames when rendering rename diffs in the Git History tab. By injecting malicious scripts into a filename, an authenticated user can trigger execution when another user views the diff.

Business impact

An attacker can leverage this vulnerability to steal session cookies, perform actions on behalf of the victim, or redirect users to malicious content. Given the collaborative nature of JupyterLab environments, this could lead to widespread credential theft or unauthorized repository manipulation. The high CVSS score reflects the potential for significant impact on both client-side security and data integrity.

Remediation

Immediate Action: Update the jupyterlab-git extension to version 0.54.0 or later to patch the underlying rendering flaw.

Proactive Monitoring: Monitor Git commit history logs for suspiciously formatted filenames or characters that appear intended to break HTML rendering.

Compensating Controls: Implement strict Content Security Policy (CSP) headers to mitigate the impact of potential XSS attacks by restricting the execution of unauthorized scripts.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Users of the JupyterLab Git extension should treat this as a high-priority update. Because this vulnerability facilitates session hijacking, patching is essential to maintain the security of the collaborative research or development environment.