<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Thu, 16 Jul 2026 10:46:24 +0000</lastBuildDate>
    <item>
      <title>49674c42-23ea-4c94-8f4c-8d8a7c1315cd</title>
      <link>https://vulnerability.circl.lu/sighting/49674c42-23ea-4c94-8f4c-8d8a7c1315cd/export</link>
      <description>{"uuid": "49674c42-23ea-4c94-8f4c-8d8a7c1315cd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-vmhf-c436-hxj4", "type": "seen", "source": "https://gist.github.com/alon710/deca315ed07761ee339643a66641a622", "content": "# GHSA-VMHF-C436-HXJ4: GHSA-VMHF-C436-HXJ4: Client-side Stored Cross-Site Scripting (XSS) in JupyterLab Extension Manager\n\n&amp;gt; **CVSS Score:** 5.1\n&amp;gt; **Published:** 2026-06-19\n&amp;gt; **Full Report:** https://cvereports.com/reports/GHSA-VMHF-C436-HXJ4\n\n## Summary\nA client-side Stored Cross-Site Scripting (XSS) vulnerability exists in the JupyterLab Extension Manager. This vulnerability allows an attacker to register a malicious package on the Python Package Index (PyPI) with a crafted metadata homepage URL using the 'javascript:' pseudo-protocol. When a JupyterLab user opens the Extension Manager and clicks the extension name, the browser executes arbitrary JavaScript code within the context of the JupyterLab origin. This can lead to the theft of active workspace documents, credentials, and API tokens. The issue affects all versions of JupyterLab prior to version 4.5.9.\n\n## TL;DR\nJupyterLab versions before 4.5.9 are vulnerable to Stored Cross-Site Scripting (XSS) via the Extension Manager. Attackers can leverage malicious homepage metadata in PyPI packages to execute arbitrary JavaScript in the user's browser session.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-79 / CWE-20\n- **Attack Vector**: Network (AV:N)\n- **CVSS v4.0**: 5.1 (Medium)\n- **Exploit Status**: Proof-of-Concept\n- **Affected Versions**: All versions prior to 4.5.9\n- **Remediation**: Upgrade to v4.5.9 or set extension_manager to 'none'\n\n## Affected Systems\n\n- JupyterLab\n- **jupyterlab**: &amp;lt; 4.5.9 (Fixed in: `4.5.9`)\n\n## Mitigation\n\n- Upgrade JupyterLab to version 4.5.9 or higher.\n- Disable the JupyterLab Extension Manager to prevent external package metadata queries.\n- Apply local network restrictions to limit unauthorized outgoing connections from JupyterLab browser sessions.\n\n**Remediation Steps:**\n1. To upgrade JupyterLab via pip, run: pip install --upgrade jupyterlab&amp;gt;=4.5.9\n2. To upgrade via conda, run: conda update jupyterlab\n3. To disable the Extension Manager manually, open jupyter_server_config.json and add: { \"LabApp\": { \"extension_manager\": \"none\" } }\n\n## References\n\n- [GitHub Security Advisory GHSA-vmhf-c436-hxj4](https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-vmhf-c436-hxj4)\n- [JupyterLab v4.5.9 Release Tag](https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.9)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-VMHF-C436-HXJ4) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-19T16:42:15.000000Z"}</description>
      <content:encoded>{"uuid": "49674c42-23ea-4c94-8f4c-8d8a7c1315cd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-vmhf-c436-hxj4", "type": "seen", "source": "https://gist.github.com/alon710/deca315ed07761ee339643a66641a622", "content": "# GHSA-VMHF-C436-HXJ4: GHSA-VMHF-C436-HXJ4: Client-side Stored Cross-Site Scripting (XSS) in JupyterLab Extension Manager\n\n&amp;gt; **CVSS Score:** 5.1\n&amp;gt; **Published:** 2026-06-19\n&amp;gt; **Full Report:** https://cvereports.com/reports/GHSA-VMHF-C436-HXJ4\n\n## Summary\nA client-side Stored Cross-Site Scripting (XSS) vulnerability exists in the JupyterLab Extension Manager. This vulnerability allows an attacker to register a malicious package on the Python Package Index (PyPI) with a crafted metadata homepage URL using the 'javascript:' pseudo-protocol. When a JupyterLab user opens the Extension Manager and clicks the extension name, the browser executes arbitrary JavaScript code within the context of the JupyterLab origin. This can lead to the theft of active workspace documents, credentials, and API tokens. The issue affects all versions of JupyterLab prior to version 4.5.9.\n\n## TL;DR\nJupyterLab versions before 4.5.9 are vulnerable to Stored Cross-Site Scripting (XSS) via the Extension Manager. Attackers can leverage malicious homepage metadata in PyPI packages to execute arbitrary JavaScript in the user's browser session.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-79 / CWE-20\n- **Attack Vector**: Network (AV:N)\n- **CVSS v4.0**: 5.1 (Medium)\n- **Exploit Status**: Proof-of-Concept\n- **Affected Versions**: All versions prior to 4.5.9\n- **Remediation**: Upgrade to v4.5.9 or set extension_manager to 'none'\n\n## Affected Systems\n\n- JupyterLab\n- **jupyterlab**: &amp;lt; 4.5.9 (Fixed in: `4.5.9`)\n\n## Mitigation\n\n- Upgrade JupyterLab to version 4.5.9 or higher.\n- Disable the JupyterLab Extension Manager to prevent external package metadata queries.\n- Apply local network restrictions to limit unauthorized outgoing connections from JupyterLab browser sessions.\n\n**Remediation Steps:**\n1. To upgrade JupyterLab via pip, run: pip install --upgrade jupyterlab&amp;gt;=4.5.9\n2. To upgrade via conda, run: conda update jupyterlab\n3. To disable the Extension Manager manually, open jupyter_server_config.json and add: { \"LabApp\": { \"extension_manager\": \"none\" } }\n\n## References\n\n- [GitHub Security Advisory GHSA-vmhf-c436-hxj4](https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-vmhf-c436-hxj4)\n- [JupyterLab v4.5.9 Release Tag](https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.9)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-VMHF-C436-HXJ4) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-19T16:42:15.000000Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/49674c42-23ea-4c94-8f4c-8d8a7c1315cd/export</guid>
      <pubDate>Fri, 19 Jun 2026 16:42:15 +0000</pubDate>
    </item>
  </channel>
</rss>
