What is CVE-2026-39377?

CVE-2026-39377 is a medium-severity vulnerability in Jupyter Nbconvert, classified under Path Traversal. CVSS score: 6.5/10. Published 2026-04-21.

How severe is CVE-2026-39377?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Path Traversal in Jupyter Nbconvert

CVE-2026-39377

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations outside the intended output directory when processing note…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (15.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N.

Affected products

Jupyter Nbconvert — versions >= 6.5, < 7.17.1

Weakness classification (CWE)

References

https://github.com/jupyter/nbconvert/security/advisories/GHSA-4c99-qj7h-p3vg (x_refsource_CONFIRM)
https://github.com/jupyter/nbconvert/releases/tag/v7.17.1 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-39377?: CVE-2026-39377 is a medium-severity vulnerability in Jupyter Nbconvert, classified under Path Traversal. CVSS score: 6.5/10. Published 2026-04-21.
How severe is CVE-2026-39377?: Medium severity. CVSS v3 base score is 6.5 out of 10.