{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3029", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-02-23T14:10:15.439Z", "datePublished": "2026-03-19T15:53:38.778Z", "dateUpdated": "2026-03-24T01:35:10.611Z"}, "containers": {"cna": {"title": "CVE-2026-3029", "descriptions": [{"lang": "en", "value": "A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Artifex Software Inc. *PyMuPDF*", "product": "PyMuPDF", "versions": [{"status": "affected", "version": "1.26.5", "lessThan": "1.26.7", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "references": [{"url": "http://github.com/pymupdf/PyMuPDF"}, {"url": "http://github.com/pymupdf/PyMuPDF/commit/603cafe38a183b8bab34f16d05043b4185d8d40a"}], "x_generator": {"engine": "VINCE 3.0.34", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-3029"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-03-19T15:53:38.778Z"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/504749"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-19T16:21:32.940Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T01:34:12.421332Z", "id": "CVE-2026-3029", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T01:35:10.611Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/504749"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-19T16:21:32.940Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3029", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T01:34:12.421332Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T01:35:04.667Z"}}], "cna": {"title": "CVE-2026-3029", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Artifex Software Inc. *PyMuPDF*", "product": "PyMuPDF", "versions": [{"status": "affected", "version": "1.26.5", "lessThan": "1.26.7", "versionType": "custom"}]}], "references": [{"url": "http://github.com/pymupdf/PyMuPDF"}, {"url": "http://github.com/pymupdf/PyMuPDF/commit/603cafe38a183b8bab34f16d05043b4185d8d40a"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.34", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-3029"}, "descriptions": [{"lang": "en", "value": "A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-03-19T15:53:38.778Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3029", "state": "PUBLISHED", "dateUpdated": "2026-03-24T01:35:10.611Z", "dateReserved": "2026-02-23T14:10:15.439Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-03-19T15:53:38.778Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5."}, {"lang": "es", "value": "Una vulnerabilidad de salto de ruta y escritura arbitraria de archivos existe en la funci\u00f3n get incrustada en '_main_.py' en la versi\u00f3n 1.26.5 de PyMuPDF."}], "id": "CVE-2026-3029", "lastModified": "2026-03-24T02:16:05.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-19T16:16:04.297", "references": [{"source": "cret@cert.org", "url": "http://github.com/pymupdf/PyMuPDF"}, {"source": "cret@cert.org", "url": "http://github.com/pymupdf/PyMuPDF/commit/603cafe38a183b8bab34f16d05043b4185d8d40a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.kb.cert.org/vuls/id/504749"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "PyMuPDF: PyMuPDF: Arbitrary file write via path traversal vulnerability", "id": "2449054", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449054"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in PyMuPDF. This vulnerability, involving path traversal, allows an attacker to write arbitrary files to unintended locations on the system. The flaw is present in the embedded `get` function within the `_main_.py` file. Successful exploitation could lead to system compromise or data corruption."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that applications utilizing PyMuPDF, especially those processing untrusted documents, are run within a sandboxed environment with strict limitations on file system write access. Additionally, validate and sanitize all input paths before they are processed by PyMuPDF's `get` function to prevent path traversal."}, "name": "CVE-2026-3029", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}], "public_date": "2026-03-19T15:53:38Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3029\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3029\nhttp://github.com/pymupdf/PyMuPDF\nhttp://github.com/pymupdf/PyMuPDF/commit/603cafe38a183b8bab34f16d05043b4185d8d40a"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.26.5,1.26.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "PyMuPDF", "source": "cna", "vendor": "Artifex Software Inc. *PyMuPDF*"}, "product": "pymupdf", "vendor": "artifex"}], "analysis": {"en": {"generated_at": "2026-03-24T04:37:11.056935+00:00", "value": {"mitigation_remediation": ["Check the PyMuPDF vendor\u2019s website or release notes for a patch that removes or fixes the vulnerable get function.", "If a patch is not yet available, restrict the environment in which PyMuPDF runs so that it cannot access sensitive file paths, or alter application code to enforce strict path validation before calling get."], "summary": {"action": "Immediate Update", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "The PyMuPDF library developed by Artifex Software Inc., specifically version 1.26.5, is affected by this path traversal and arbitrary file write vulnerability.", "description_and_impact": "A flaw in the get function of PyMuPDF 1.26.5 allows unvalidated file paths to be processed, enabling an attacker to traverse directories and write files at arbitrary locations. This weakness permits overwriting trusted files, inserting malicious content, or corrupting data, thereby compromising integrity and possibly enabling further exploitation.", "risk_and_exploitability": "The CVSS score of 7.5 signals high severity, yet the EPSS score of less than 1\u202f% indicates that exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector appears to be local, requiring an attacker to supply a crafted path to the vulnerable get function."}}}}, "created": "2026-03-20T08:56:39.448481+00:00", "title": "Arbitrary File Write via Path Traversal in PyMuPDF 1.26.5", "updated": "2026-03-25T11:55:18.589481+00:00", "vendors": ["artifex", "artifex$PRODUCT$pymupdf"]}