CVE-2026-54527
Received Received - Intake

Stored XSS in JupyterLab Git Extension via Malicious Filename

Vulnerability report for CVE-2026-54527, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

JupyterLab Git is a Git extension for JupyterLab. From 0.30.0b3 before 0.54.0, the PlainTextDiff.ts createHeader() method passes Git filenames directly to innerHTML when rendering renamed files in commit history, allowing a crafted filename to execute JavaScript when a victim views the rename diff in the Git History tab. This issue is fixed in version 0.54.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
jupyterlab_git jupyterlab_git From 0.30.0b3 (inc) to 0.54.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability affects JupyterLab Git versions from 0.30.0b3 before 0.54.0. Detection involves identifying if these vulnerable versions are installed on your system.

You can check the installed version of the jupyterlab_git extension by running the following command in your terminal or Jupyter environment:

  • jupyter labextension list

Look for the jupyterlab_git extension and verify its version. If the version is between 0.30.0b3 and before 0.54.0, your system is vulnerable.

Additionally, you can inspect the installed Python package version with:

  • pip show jupyterlab-git

If the version is vulnerable, consider upgrading to version 0.54.0 or later to mitigate the issue.

Executive Summary

This vulnerability exists in the JupyterLab Git extension versions from 0.30.0b3 up to before 0.54.0. The issue is in the PlainTextDiff.ts createHeader() method, which passes Git filenames directly to innerHTML when rendering renamed files in the commit history. Because of this, a specially crafted filename can contain malicious JavaScript code that executes when a user views the rename diff in the Git History tab.

The vulnerability allows an attacker to inject and execute JavaScript code in the context of the victim's browser when they view the affected Git history.

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks, where an attacker can execute arbitrary JavaScript code in the victim's browser. This can result in unauthorized actions such as stealing sensitive information, hijacking user sessions, or performing actions on behalf of the user without their consent.

Because the vulnerability requires the victim to view the rename diff in the Git History tab, it relies on user interaction, but the impact is high due to the potential for remote code execution within the browser.

Mitigation Strategies

To mitigate this vulnerability, upgrade JupyterLab Git to version 0.54.0 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54527. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart