{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3029", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-02-23T14:10:15.439Z", "datePublished": "2026-03-19T15:53:38.778Z", "dateUpdated": "2026-03-24T01:35:10.611Z"}, "containers": {"cna": {"title": "CVE-2026-3029", "descriptions": [{"lang": "en", "value": "A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Artifex Software Inc. *PyMuPDF*", "product": "PyMuPDF", "versions": [{"status": "affected", "version": "1.26.5", "lessThan": "1.26.7", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "references": [{"url": "http://github.com/pymupdf/PyMuPDF"}, {"url": "http://github.com/pymupdf/PyMuPDF/commit/603cafe38a183b8bab34f16d05043b4185d8d40a"}], "x_generator": {"engine": "VINCE 3.0.34", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-3029"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-03-19T15:53:38.778Z"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/504749"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-19T16:21:32.940Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T01:34:12.421332Z", "id": "CVE-2026-3029", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T01:35:10.611Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/504749"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-19T16:21:32.940Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3029", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T01:34:12.421332Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T01:35:04.667Z"}}], "cna": {"title": "CVE-2026-3029", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Artifex Software Inc. *PyMuPDF*", "product": "PyMuPDF", "versions": [{"status": "affected", "version": "1.26.5", "lessThan": "1.26.7", "versionType": "custom"}]}], "references": [{"url": "http://github.com/pymupdf/PyMuPDF"}, {"url": "http://github.com/pymupdf/PyMuPDF/commit/603cafe38a183b8bab34f16d05043b4185d8d40a"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.34", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-3029"}, "descriptions": [{"lang": "en", "value": "A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-03-19T15:53:38.778Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3029", "state": "PUBLISHED", "dateUpdated": "2026-03-24T01:35:10.611Z", "dateReserved": "2026-02-23T14:10:15.439Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-03-19T15:53:38.778Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5."}, {"lang": "es", "value": "Una vulnerabilidad de salto de ruta y escritura arbitraria de archivos existe en la funci\u00f3n get incrustada en '_main_.py' en la versi\u00f3n 1.26.5 de PyMuPDF."}], "id": "CVE-2026-3029", "lastModified": "2026-03-24T02:16:05.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-19T16:16:04.297", "references": [{"source": "cret@cert.org", "url": "http://github.com/pymupdf/PyMuPDF"}, {"source": "cret@cert.org", "url": "http://github.com/pymupdf/PyMuPDF/commit/603cafe38a183b8bab34f16d05043b4185d8d40a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.kb.cert.org/vuls/id/504749"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "PyMuPDF: PyMuPDF: Arbitrary file write via path traversal vulnerability", "id": "2449054", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449054"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in PyMuPDF. This vulnerability, involving path traversal, allows an attacker to write arbitrary files to unintended locations on the system. The flaw is present in the embedded `get` function within the `_main_.py` file. Successful exploitation could lead to system compromise or data corruption."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that applications utilizing PyMuPDF, especially those processing untrusted documents, are run within a sandboxed environment with strict limitations on file system write access. Additionally, validate and sanitize all input paths before they are processed by PyMuPDF's `get` function to prevent path traversal."}, "name": "CVE-2026-3029", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}], "public_date": "2026-03-19T15:53:38Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3029\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3029\nhttp://github.com/pymupdf/PyMuPDF\nhttp://github.com/pymupdf/PyMuPDF/commit/603cafe38a183b8bab34f16d05043b4185d8d40a"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.5,1.26.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "PyMuPDF", "source": "cna", "vendor": "Artifex Software Inc. *PyMuPDF*"}, "product": "pymupdf", "vendor": "artifex"}], "analysis": {"en": {"generated_at": "2026-03-20T12:52:08.959109+00:00", "value": {"mitigation_remediation": ["Upgrade PyMuPDF to a patched version (e.g., any release 1.26.6 or later) to eliminate the vulnerability.", "Ensure that any user-supplied inputs passed to the get function are validated and sanitized to prevent path traversal attempts.", "Check Artifex Software Inc. for additional advisories or workarounds if a patch is not immediately available."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "Artifex Software Inc. ships the PyMuPDF library that is affected. The provided data indicates only version 1.26.5 is vulnerable; no other versions are listed as impacted.", "description_and_impact": "The flaw exists in the embedded get function in '_main_.py' of PyMuPDF version 1.26.5 and allows path traversal that can be leveraged to write arbitrary files to the filesystem. This capability enables an attacker to overwrite existing files or create new ones, potentially installing malicious code or compromising sensitive data, resulting in a breach of confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score is not disclosed, the EPSS score is marked as not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no publicly known exploit. The risk remains high because the vulnerability permits arbitrary file writes and path traversal; it is likely exploitable in scenarios where a user can invoke the get function with crafted input, which may be possible through local or remote processing of PDF files depending on application architecture."}}}}, "created": "2026-03-20T08:56:39.448481+00:00", "title": "Path Traversal and Arbitrary File Write in PyMuPDF", "updated": "2026-03-20T14:14:45.668969+00:00", "vendors": ["artifex", "artifex$PRODUCT$pymupdf"]}