Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
74
GitHub Actions
54
Go
4,082
Maven
5,000+
npm
5,000+
NuGet
994
pip
5,000+
Pub
13
RubyGems
1,095
Rust
1,413
Swift
61
Unreviewed advisories
All unreviewed
5,000+

13 advisories

Loading
jupyterlab-git extension: Stored XSS leading to RCE High
CVE-2026-54527 was published for @jupyterlab/git (npm) Jun 19, 2026
krassowski Credited to krassowski and jtpio jtpio jtpio
JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol Moderate
GHSA-vmhf-c436-hxj4 was published for jupyterlab (pip) Jun 19, 2026
krassowski Credited to krassowski and Yann-P Yann-P Yann-P
JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content High
CVE-2026-42557 was published for jupyterlab (pip) May 6, 2026
fg0x0 Credited to fg0x0, krassowski, jtpio, and Yann-P krassowski krassowski
jtpio jtpio Yann-P Yann-P
JupyterLab has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request High
CVE-2026-42266 was published for jupyterlab (pip) May 5, 2026
pmcao Credited to pmcao, Yann-P, and krassowski Yann-P Yann-P
krassowski krassowski
Jupyter Server: Path Traversal via incorrect startswith() root directory check allows access to sibling directories High
CVE-2026-35397 was published for jupyter-server (pip) May 5, 2026
Yann-P Credited to Yann-P, Carreau, stef41, and krassowski Carreau Carreau
stef41 stef41 krassowski krassowski
Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS High
CVE-2026-40171 was published for @jupyter-notebook/help-extension (npm) Apr 30, 2026
dtrops Credited to dtrops, Carreau, Yann-P, krassowski, and jtpio Carreau Carreau
Yann-P Yann-P krassowski krassowski jtpio jtpio
nbconvert has an uncontrolled search path that leads to unauthorized code execution on Windows High
CVE-2025-53000 was published for nbconvert (pip) Dec 18, 2025
dlqqq Credited to dlqqq, krassowski, and yohannslm krassowski krassowski
yohannslm yohannslm
JupyterLab LaTeX typesetter links did not enforce `noopener` attribute Low
CVE-2025-59842 was published for jupyterlab (pip) Sep 26, 2025
Yaniv-git Credited to Yaniv-git, krassowski, and dlqqq krassowski krassowski
dlqqq dlqqq
Jupyter Core on Windows Has Uncontrolled Search Path Element Local Privilege Escalation Vulnerability High
CVE-2025-30167 was published for jupyter_core (pip) Jun 4, 2025
krassowski Credited to krassowski and zdi-disclosures zdi-disclosures zdi-disclosures
jupyterlab-git has a command injection vulnerability in "Open Git Repository in Terminal" High
CVE-2025-30370 was published for jupyterlab-git (pip) Apr 4, 2025
dlqqq Credited to dlqqq, rpwagner, and krassowski rpwagner rpwagner
krassowski krassowski
HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering High
CVE-2024-43805 was published for jupyterlab (pip) Aug 29, 2024
jackfromeast Credited to jackfromeast, ishmeals, RRosio, and krassowski ishmeals ishmeals
RRosio RRosio krassowski krassowski
jupyter-scheduler's endpoint is missing authentication Moderate
CVE-2024-28188 was published for jupyter-scheduler (pip) May 23, 2024
krassowski Credited to krassowski, Carreau, andrii-i, dlqqq, and yuvipanda Carreau Carreau
andrii-i andrii-i dlqqq dlqqq yuvipanda yuvipanda
Jupyter Server Proxy's Websocket Proxying does not require authentication Critical
CVE-2024-28179 was published for jupyter-server-proxy (pip) Mar 20, 2024
yuvipanda Credited to yuvipanda, consideRatio, manics, minrk, krassowski, dlqqq, and eddelbuettel consideRatio consideRatio
manics manics minrk minrk krassowski krassowski dlqqq dlqqq eddelbuettel eddelbuettel
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database