- Package:
- src:nbconvert
- Source:
- src:nbconvert
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-20 15:07:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for nbconvert. CVE-2026-39378[0]: | The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to | various other formats via Jinja templates. In versions 6.5 through | 7.17.0, when `HTMLExporter.embed_images=True`, nbconvert's markdown | renderer allows arbitrary file read via path traversal in image | references. A malicious notebook can exfiltrate sensitive files from | the conversion host by embedding them as base64 data URIs in the | output HTML. nbconvert 7.17.1 contains a fix. As a workaround, do | not enable `HTMLExporter.embed_images`; it is not enabled by | default. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-39378 https://www.cve.org/CVERecord?id=CVE-2026-39378 [1] https://github.com/jupyter/nbconvert/security/advisories/GHSA-7jqv-fw35-gmx9 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hello, Bug #1134890 in nbconvert reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/python-team/packages/nbconvert/-/commit/7a973d46499287df54d2b9dd79f3ae2ba9a7a21d ------------------------------------------------------------------------ Update upstream source from tag 'upstream/7.17.1' Update to upstream version '7.17.1' with Debian dir ed8aa976f4e3fe29477195ebaf171edd912ec2bb Closes: #1134889, #1134890 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1134890
We believe that the bug you reported is fixed in the latest version of
nbconvert, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1134890@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated nbconvert package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 26 Apr 2026 19:46:51 +0100
Source: nbconvert
Architecture: source
Version: 7.17.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1134889 1134890
Changes:
nbconvert (7.17.1-1) unstable; urgency=medium
.
* Team upload.
* New upstream release:
- CVE-2026-39377: Fix arbitrary file write via path traversal in cell
attachment filenames (closes: #1134889).
- CVE-2026-39378: Fix arbitrary file read via path traversal in
HTMLExporter image embedding (closes: #1134890).
Checksums-Sha1:
43b090b04d053427e890ddf33264e1f22db49391 3030 nbconvert_7.17.1-1.dsc
99b41746214d6a2f2c869477e656b8dc6df11b6d 767078 nbconvert_7.17.1.orig.tar.gz
e8529ad87017c72c79c68cf3981793d59e990d65 61120 nbconvert_7.17.1-1.debian.tar.xz
Checksums-Sha256:
dc7621dcf98bf48715d3a0bc0a1fd1b7e1a20b1474e4105ce8d0f6264a03f8d4 3030 nbconvert_7.17.1-1.dsc
c083d98d4d141f365a2beb850262451014a1a5f4339bc955c11e518abe45877f 767078 nbconvert_7.17.1.orig.tar.gz
016e080d141fe50c548268735f9cba0abb26a9c3f99c39e05b92d1aec443fb00 61120 nbconvert_7.17.1-1.debian.tar.xz
Files:
eb71093d8fff283dabdf46631df0843a 3030 python optional nbconvert_7.17.1-1.dsc
4dd023b77c91bb9a80046aa2269eef0d 767078 python optional nbconvert_7.17.1.orig.tar.gz
ea41f06057e013ef6b3a7c98b1e93963 61120 python optional nbconvert_7.17.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmnuXdcACgkQOTWH2X2G
UAuAgg//Rlf0R/zbv09ELIgNthHkQ0nLFCGhoi+9uAWESm2nV5ABD951trXB3CXO
gK5aMROEd+mW9NN+irswV3tVu+9WiQHTiMTaEhRv5qNxorwD5TSVM0ADPKphetM8
o+5OnesrIDcQfecaFDBM9WENpgGzuYQ4SngpY2MiMYQ790O9WPr9W+ztxm0LJe0T
5u/WeZgPwBwZHrmMi1XgUhiYYbOlE9VW/jjc2AeCC/aWhj0gPckq4f0tadP7b/5U
qs6Y8K0eRU+q4ETqUD5XKlPS+DcEG1JEbXzPpH4PWMdg41pIW7a1o3Xc3yGFtqI+
lF8E17dfp/jWP+9+N+cQAoyUb7c/nVdcp3N/CX2R/c00TRiBLfmKpqcrTYvvYFrI
4ZygoRvZsOXBmBQIReQDUnERKxv1gD6x+B1HFI35RLUdvABtnE3urxfwId/oXZMa
DYpIuzRaFxXIsvCaki4SReOHRjcDdttaWRoxtk9y1BibKRXDVG80ELJ4HJtdl0kk
oZNW3GkehunelchBGZjA83O8YNiQ2PnFJ+ArwJ+mOh+qqr86kKlbe05wIbXm0SUP
BsNVRwB3uebdYRnoYRVUVX9HVE0mtaFH8S+CrQESR+tGO/sHSKGLK4i6KgLhQUN5
4RxhJw27Sq7At6Z1WYRe7XhWhWnQw3GbH3sI2ARW1npC3wwIq1A=
=+M4I
-----END PGP SIGNATURE-----