Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-39378
6.5 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): NONE
- Availability impact (A): NONE
Activity log
- Created suggestion
nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding
The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when `HTMLExporter.embed_images=True`, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML. nbconvert 7.17.1 contains a fix. As a workaround, do not enable `HTMLExporter.embed_images`; it is not enabled by default.
References
-
https://github.com/jupyter/nbconvert/security/advisories/GHSA-7jqv-fw35-gmx9 x_refsource_CONFIRM
-
https://github.com/jupyter/nbconvert/releases/tag/v7.17.1 x_refsource_MISC
Affected products
nbconvert
- ==>= 6.5, < 7.17.1
Matching in nixpkgs
pkgs.python312Packages.nbconvert
Converting Jupyter Notebooks
pkgs.python313Packages.nbconvert
Converting Jupyter Notebooks
pkgs.python314Packages.nbconvert
Converting Jupyter Notebooks
Package maintainers
-
@natsukium Tomoya Otabi <nixpkgs@natsukium.com>
-
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>
-
@thomasjm Tom McLaughlin <tom@codedown.io>