CVE-2026-54527
Severity CVSS v4.0:
CRITICAL
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
08/07/2026
Last modified:
10/07/2026
Description
JupyterLab Git is a Git extension for JupyterLab. From 0.30.0b3 before 0.54.0, the PlainTextDiff.ts createHeader() method passes Git filenames directly to innerHTML when rendering renamed files in commit history, allowing a crafted filename to execute JavaScript when a victim views the rename diff in the Git History tab. This issue is fixed in version 0.54.0.
Impact
Base Score 4.0
9.30
Severity 4.0
CRITICAL
References to Advisories, Solutions, and Tools
- https://github.com/jupyterlab/jupyterlab-git/commit/c6d37b88f36aa59aee317930b95e427fb9d6b09b
- https://github.com/jupyterlab/jupyterlab-git/releases/tag/v0.54.0
- https://github.com/jupyterlab/jupyterlab-git/security/advisories/GHSA-f962-v9hr-pfg5
- https://github.com/jupyterlab/jupyterlab-git/security/advisories/GHSA-f962-v9hr-pfg5



