CVE-2026-39377

Name of the Vulnerable Software and Affected Versions nbconvert versions 6.5 through 7.17.0

Description The nbconvert tool converts Jupyter notebooks to various formats using Jinja templates. A path traversal issue exists where the ExtractAttachmentsPreprocessor function passes attachment filenames directly to the filesystem without sanitization. This allows arbitrary file writes to locations outside the intended output directory, providing complete control over the destination path, filename, and file extension.

Recommendations Update to version 7.17.1. As a temporary workaround, disable the ExtractAttachmentsPreprocessor by setting c.ExtractAttachmentsPreprocessor.enabled = False.