CVE-2026-39378

MEDIUM NVD

CVSS Score 6.5

Severity MEDIUM

Published Apr 21, 2026

Vendor unknown

Description

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when `HTMLExporter.embed_images=True`, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML. nbconvert 7.17.1 contains a fix. As a workaround, do not enable `HTMLExporter.embed_images`; it is not enabled by default.

References

https://github.com/jupyter/nbconvert/releases/tag/v7.17.1
https://github.com/jupyter/nbconvert/security/advisories/GHSA-7jqv-fw35-gmx9