CVE-2026-54527 in Git Plugininfo

Summary

by MITRE • 07/09/2026

JupyterLab Git is a Git extension for JupyterLab. From 0.30.0b3 before 0.54.0, the PlainTextDiff.ts createHeader() method passes Git filenames directly to innerHTML when rendering renamed files in commit history, allowing a crafted filename to execute JavaScript when a victim views the rename diff in the Git History tab. This issue is fixed in version 0.54.0.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability exists within JupyterLab Git extension version 0.30.0b3 through 0.53.0, specifically in the PlainTextDiff.ts file where the createHeader() method processes Git filenames without proper sanitization before rendering them in the user interface. This flaw represents a classic cross-site scripting vulnerability that allows attackers to inject malicious JavaScript code through specially crafted filenames used in Git operations such as file renames. The security issue manifests when users view commit history containing renamed files, making it particularly dangerous in collaborative environments where multiple users contribute to repositories.

The technical implementation of this vulnerability stems from the direct use of user-provided data in DOM manipulation operations. When Git tracks file renames, the original and new filenames are stored and later displayed in the JupyterLab interface through the PlainTextDiff.ts component. The createHeader() method fails to sanitize these filenames before passing them to innerHTML, which is a well-documented pattern for XSS vulnerabilities. This approach directly violates secure coding practices and aligns with CWE-79, which defines cross-site scripting as the insertion of malicious code into web pages viewed by other users. The vulnerability operates at the application layer and requires no special privileges or authentication to exploit, making it particularly concerning for shared development environments.

The operational impact of this vulnerability extends beyond simple code injection, as it can enable attackers to perform various malicious activities including session hijacking, data exfiltration, and privilege escalation within the JupyterLab environment. When victims view commit history containing crafted filenames, the injected JavaScript executes in their browser context with the same privileges as the legitimate user, potentially allowing attackers to access sensitive notebooks, steal authentication tokens, or manipulate repository contents. This vulnerability is especially dangerous in enterprise settings where JupyterLab serves as a data science platform and users may have access to confidential datasets and research materials. The attack vector requires only that an attacker can influence Git operations on a repository that the victim views, making it particularly effective in collaborative development workflows.

Mitigation strategies for this vulnerability include updating to version 0.54.0 or later where the issue has been resolved through proper input sanitization of filenames before DOM rendering. Organizations should implement automated patch management processes to ensure all JupyterLab installations are updated promptly with security fixes. Additionally, implementing Content Security Policy headers and regular security scanning of development environments can provide additional defense in depth. The fix likely involves sanitizing user inputs using appropriate encoding functions or DOM manipulation methods that prevent JavaScript execution, which aligns with ATT&CK technique T1059.007 for executing commands through scripting languages and represents a fundamental secure coding practice that should be applied to all web applications processing user-provided content.

Responsible

GitHub M

Reservation

06/15/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!