Medium severity6.5NVD Advisory· Published Apr 21, 2026· Updated Apr 23, 2026
CVE-2026-39378
CVE-2026-39378
Description
The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when HTMLExporter.embed_images=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML. nbconvert 7.17.1 contains a fix. As a workaround, do not enable HTMLExporter.embed_images; it is not enabled by default.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nbconvertPyPI | >= 6.5.0, < 7.17.1 | 7.17.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-7jqv-fw35-gmx9ghsaADVISORY
- github.com/jupyter/nbconvert/security/advisories/GHSA-7jqv-fw35-gmx9nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-39378ghsaADVISORY
- github.com/jupyter/nbconvert/releases/tag/v7.17.1nvdProductWEB
News mentions
0No linked articles in our index yet.