CVE-2026-39378
- Source
- https://cve.org/CVERecord?id=CVE-2026-39378
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-39378.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-39378
- Aliases
- Downstream
- Related
- Published
- 2026-04-21T00:17:00.684Z
- Modified
- 2026-04-24T12:16:06.151087Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding
- Details
-
The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when
HTMLExporter.embed_images=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML. nbconvert 7.17.1 contains a fix. As a workaround, do not enableHTMLExporter.embed_images; it is not enabled by default. - Database specific
{ "cwe_ids": [ "CWE-22", "CWE-73" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39378.json", "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/jupyter/nbconvert
Affected versions
6.*
6.5
7.*
7.0.0
7.0.0rc0
7.0.0rc1
7.0.0rc2
7.0.0rc3
7.1.0
v7.*
v7.10.0
v7.11.0
v7.12.0
v7.13.0
v7.13.1
v7.14.0
v7.14.1
v7.14.2
v7.15.0
v7.16.0
v7.16.1
v7.16.2
v7.16.3
v7.16.4
v7.16.5
v7.16.6
v7.17.0
v7.2.0
v7.2.1
v7.2.10
v7.2.2
v7.2.3
v7.2.4
v7.2.5
v7.2.6
v7.2.7
v7.2.8
v7.2.9
v7.3.0
v7.3.1
v7.4.0
v7.5.0
v7.6.0
v7.7.0
v7.7.1
v7.7.2
v7.7.3
v7.7.4
v7.8.0
v7.9.0
v7.9.1
v7.9.2