VDB

CVE-2026-39378

CVE-2026-39378 PUBLISHED CVSS 6.5 MEDIUM

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when `HTMLExporter.embed_images=True`, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML. nbconvert 7.17.1 contains a fix. As a workaround, do not enable `HTMLExporter.embed_images`; it is not enabled by default.

EPSS 0.04% · 11.9th percentile

Risk Scores

CVSS v3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score
0.04%
11.9th percentile

Affected Products

VendorProductVersions
jupyternbconvert>= 6.5, < 7.17.1

Timeline

  • Apr 20, 2026 PoC Published
  • Apr 21, 2026 CVE Published
  • Apr 21, 2026 PoC Published
  • Apr 22, 2026 Security Advisory
  • Apr 23, 2026 CVE Updated
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›