CVE-2026-3029
Publication date 19 March 2026
Last updated 25 March 2026
Ubuntu priority
Description
A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| pymupdf | 25.10 questing |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-3029
- https://github.com/pymupdf/PyMuPDF/issues/4767
- https://github.com/pymupdf/PyMuPDF/commit/756e1ee94421fb7c570ef49bfdac21c72025417d (1.26.7)
- http://github.com/pymupdf/PyMuPDF
- http://github.com/pymupdf/PyMuPDF/commit/603cafe38a183b8bab34f16d05043b4185d8d40a
- https://www.kb.cert.org/vuls/id/504749