{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/504749#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nA path traversal vulnerability leading to arbitrary file write exist in PyMuPDF version 1.26.5, within the ‘embedded_get’   function in ‘__main__.py’.  This vulnerability is caused by improper handling of untrusted embedded file metadata, which is used directly as an output path, enabling attackers to write files to arbitrary locations on the local system.\r\n \r\n### Description\r\nPyMuPDF is a Python interface to the MuPDF document rendering engine, providing capabilities for parsing, rendering, searching, and modifying PDF documents.\r\nThe ‘embedded_get’ function in PyMuPDF is responsible for opening the provided PDF along with fetching metadata, such as the file name, if using ‘args.output’ it specifies were the file will be written to on the local system.   When ‘args.output’   is not provided, the ‘embedded_get’ function falls back to embedded-file metadata, and opens that value in write-binary mode. Since write-binary mode has no constrictions or safety checks it can write anywhere to the local system.      \r\nIf the derived output path is not supplied by using ‘args.output’,    a crafted PDF can be used to target a location on the local system by using the PDF’s name. When an extracted embedded file using ‘embedded_get’ without specified ‘args.output, the tool can write the extracted content outside the intended directory, potentially to paths on the local system. \r\n\r\n### Impact\r\nSuccessful exploitation can result in arbitrary file writing to locations permitted by the executing user. If done under an account with elevated privileges, it may overwrite system files. This can lead to privilege escalation, service disruption, or security bypass. ### Overview\r\nA path traversal vulnerability leading to arbitrary file write exists in PyMuPDF version 1.26.5, within the `embedded_get`    function in `__main__.py`.  This vulnerability is caused by improper handling of untrusted embedded file metadata, which is used directly as an output path, enabling attackers to write files to arbitrary locations on the local system.\r\n \r\n### Description\r\nPyMuPDF is a Python interface to the MuPDF document rendering engine, providing capabilities for parsing, rendering, searching, and modifying PDF documents.\r\nThe `embedded_get` function in PyMuPDF is responsible for opening the provided PDF along with fetching metadata, such as the file name. If using `args.output`, it specifies where the file will be written on the local system.   When `args.output`   is not provided, the `embedded_get` function falls back to embedded file metadata and opens that value in write-binary mode. Since write-binary mode has no constrictions nor safety checks, it can write to anywhere on the local system.      \r\nIf the derived output path is not supplied with `args.output`,    a crafted PDF can be used to target a location on the local system using the name of the PDF. When an embedded file is extracted using `embedded_get` without specified `args.output`, the tool can write the extracted content outside the intended directory, potentially to paths on the local system. \r\n\r\n### Impact\r\nSuccessful exploitation can result in arbitrary file writing to locations permitted by the executing user. If done under an account with elevated privileges, it may overwrite system files. This can lead to privilege escalation, service disruption, or security bypass. \r\n### Solution\r\nPyMuPDF has released version 1.26.7 to address this vulnerability. Affected users are encouraged to update as soon as possible. \r\n\r\n### Acknowledgements\r\nThanks to the reporter UKO. This document was written by Michael Bragg.\r\n\r\n\r\n### Solution\r\nPyMuPDF has released version 1.26.7 to address this vulnerability. Affected users are encouraged to update as soon as possible. \r\n\r\n### Acknowledgements\r\nThanks to the reporter Jangwoo Choe (UKO). This document was written by Michael Bragg.\r\n\r\n**CVE-2026-3029**\r\nA path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/504749"},{"url":"http://github.com/pymupdf/PyMuPDF","summary":"http://github.com/pymupdf/PyMuPDF"},{"url":"http://github.com/pymupdf/PyMuPDF/commit/603cafe38a183b8bab34f16d05043b4185d8d40a","summary":"http://github.com/pymupdf/PyMuPDF/commit/603cafe38a183b8bab34f16d05043b4185d8d40a"}],"title":"PyMuPDF path traversal and arbitrary file write vulnerabilities","tracking":{"current_release_date":"2026-03-19T15:53:54+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#504749","initial_release_date":"2026-02-12 18:05:12.897457+00:00","revision_history":[{"date":"2026-03-19T15:53:54+00:00","number":"1.20260319155354.4","summary":"Released on 2026-03-19T15:53:54+00:00"}],"status":"final","version":"1.20260319155354.4"}},"vulnerabilities":[{"title":"A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.","notes":[{"category":"summary","text":"A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5."}],"cve":"CVE-2026-3029","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#504749"}]}],"product_tree":{"branches":[]}}