Path Traversal and Arbitrary File Write Vulnerability in PyMuPDF by Artifex Software
CVE-2026-3029

7.5HIGH

Key Information:

Vendor: Artifex Software Inc. *pymuPDF*
Status: PymuPDF
Vendor: CVE Published:; 19 March 2026

🔔 Create Artifex Software Inc. *pymuPDF* Vulnerability Alert

What is CVE-2026-3029?

A path traversal and arbitrary file write vulnerability exists in the embedded get function within 'main.py' in PyMuPDF version 1.26.5. This flaw enables attackers to potentially access sensitive files on the server or write arbitrary files, leading to unauthorized data exposure or system compromise. Users are advised to update to the latest version of PyMuPDF to mitigate this risk.

Affected Version(s)

PyMuPDF 1.26.5 < 1.26.7

References

http://github.com/pymupdf/PyMuPDF

http://github.com/pymupdf/PyMuPDF/commit/603cafe38a183b8b...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2026
Vulnerability Reserved
Feb 23, 2026

CVE-2026-3029 Data

JSON