CVE-2026-54527 is a high-severity cross-site scripting (XSS) vulnerability in jupyterlab-git (pip), affecting versions >= 0.30.0b3, < 0.54.0a1. It is fixed in 0.54.0.
Overview Amazon Web Services (AWS) Security has identified a stored cross-site scripting (XSS) issue in the jupyterlab-git JupyterLab extension that can lead to remote code execution (RCE). The issue exists in the PlainTextDiff.ts component, where the createHeader() method passes Git filenames directly to innerHTML without sanitization when rendering diffs for renamed files in commit history. This allows an adversary to craft a filename containing arbitrary HTML/JavaScript that executes when another user views the rename diff in the Git History tab. The issue can be leveraged through the rename history view in the JupyterLab Git panel. An adversary creates a file with a crafted filename containing a JavaScript payload (e.g., <img src=x onerror=eval(atob("base64payload"))>.py), renames the file in a subsequent commit, and pushes to a shared repository. When a victim clones the repository, navigates to the Git History tab, clicks the rename commit, and then clicks the renamed file to view the diff, the unsanitized filename renders via innerHTML, executing arbitrary JavaScript in the victim's browser session. The injected JavaScript reads the xsrf cookie, opens a JupyterLab terminal via POST /api/terminals, connects via WebSocket, and executes arbitrary shell commands, achieving full RCE. An adversary can leverage this to exfiltrate secrets or credentials from the victim's environment. Scope of impact We discovered this issue during internal security testing. The issue is present in the default configuration of JupyterLab when the jupyterlab-git extension is installed. The attack requires: The adversary to have commit access to a Git repository that the victim has cloned The victim to navigate to the Git History tab, click the rename commit, and click the renamed file to view the diff The issue could allow an actor who has access to a shared Git repository to execute arbitrary JavaScript in another user's JupyterLab environment by committing a file with a crafted filename, potentially leading to remote code execution with access to user code, data, environment variables, and credentials. Proof of concept The issue exists in the createHeader() method where filenames from rename history are passed directly to innerHTML without sanitization: [1] https://github.com/jupyterlab/jupyterlab-git/blob/main/src/components/diff/PlainTextDiff.ts#L214 Attack flow: An adversary creates a file with a crafted filename containing a JavaScript payload, e.g., <img src=x onerror=eval(atob("base64payload"))>.py The adversary renames the file in a subsequent commit and pushes both commits to a shared Git repository The victim clones or pulls the repository and navigates to the Git History tab in JupyterLab The victim clicks the rename commit, then clicks the renamed file to view the diff The createHeader() method constructs a diff header using string concatenation with the unsanitized filename and assigns the result to innerHTML The injected JavaScript executes in the victim's browser session, reads the _xsrf cookie, sends a POST request to /api/terminals to open a JupyterLab terminal, connects via WebSocket, and executes arbitrary shell commands Proof-of-concept mitigation The issue can be mitigated by replacing innerHTML with textContent for filename rendering in the createHeader() method of PlainTextDiff.ts. Alternatively, proper HTML sanitization (escaping <, >, &, ", ') can be applied before inserting user-controlled filenames into the DOM.
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
pip
jupyterlab-git (>= 0.30.0b3, < 0.54.0a1)jupyterlab-git-core (>= 0.30.0b3, < 0.54.0a1)npm
@jupyterlab/git (>= 0.30.0b3, < 0.54.0-a1)jupyterlab-git → 0.54.0 (pip)jupyterlab-git-core → 0.54.0 (pip)@jupyterlab/git → 0.54.0 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-54527 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-54527 is reachable in your applications. Get a demo
Upgrade the following packages to resolve this vulnerability:
jupyterlab-git to 0.54.0 or laterjupyterlab-git-core to 0.54.0 or later@jupyterlab/git to 0.54.0 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-54527 is a high-severity cross-site scripting (XSS) vulnerability in jupyterlab-git (pip), affecting versions >= 0.30.0b3, < 0.54.0a1. It is fixed in 0.54.0. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
jupyterlab-git (pip) (versions >= 0.30.0b3, < 0.54.0a1)jupyterlab-git-core (pip) (versions >= 0.30.0b3, < 0.54.0a1)@jupyterlab/git (npm) (versions >= 0.30.0b3, < 0.54.0-a1)Yes. CVE-2026-54527 is fixed in 0.54.0. Upgrade to this version or later.
Whether CVE-2026-54527 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
jupyterlab-git to 0.54.0 or laterjupyterlab-git-core to 0.54.0 or later@jupyterlab/git to 0.54.0 or later