CVE-2026-39377— nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-39377
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames
Source: NVD (National Vulnerability Database)
Vulnerability Description
The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The `ExtractAttachmentsPreprocessor` passes attachment filenames directly to the filesystem without sanitization, enabling path traversal attacks. This vulnerability provides complete control over both the destination path and file extension. Version 7.17.1 contains a patch.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
nbconvert 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
nbconvert是Jupyter组织的一个格式转换库。将 Jupyter .ipynb 笔记本文档文件转换为另一种静态格式,包括 HTML、LaTeX、PDF、Markdown 等。 nbconvert 6.5版本至7.17.0版本存在路径遍历漏洞,该漏洞源于ExtractAttachmentsPreprocessor对附件文件名清理不当,可能导致任意文件写入。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-39377
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-39377
请登录查看更多情报信息。
- Release v7.17.1 · jupyter/nbconvert · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-39377
IV. Related Vulnerabilities
Same vendor: jupyter
- CVE-2026-40171
Jupyter Notebook and JupyterLab token theft via stored XSS i - CVE-2026-39378
nbconvert has an Arbitrary File Read via Path Traversal in H - CVE-2025-53000
nbconvert has an uncontrolled search path that leads to unau - CVE-2025-30167
Jupyter Core on Windows Has Uncontrolled Search Path Element - CVE-2025-23205
`frame-ancestors: self` grants all users access to formgrade
Same weakness: CWE-22
- CVE-2026-8274
npitre cramfs-tools Directory cramfsck.c do_directory path t - CVE-2022-50956
WordPress Plugin amministrazione-aperta 3.7.3 Local File Rea - CVE-2026-8215
Industrial Application Software IAS Canias ERP RMI iasReques - CVE-2026-42605
AzuraCast: Path Traversal in `currentDirectory` Parameter En - CVE-2026-42574
apko dirFS has a symlink-following path traversal that allow
V. Comments for CVE-2026-39377
No comments yet