Cyber Resilience

CVE-2026-3029

HighUpdated

Published: 19 March 2026

Published
19 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0052 40.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3029 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3029 is a path traversal and arbitrary file write vulnerability in the embedded get function within '_main_.py' of PyMuPDF version 1.26.5. Published on 2026-03-19T16:16:04.297, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for significant availability disruption.

Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By leveraging the path traversal flaw in the get function, they can achieve arbitrary file writes, resulting in high impact to system availability such as denial of service.

Mitigation is addressed in the PyMuPDF GitHub repository, specifically via commit 603cafe38a183b8bab34f16d05043b4185d8d40a. Additional details are available in the CERT advisory at https://www.kb.cert.org/vuls/id/504749 and the project repository at http://github.com/pymupdf/PyMuPDF.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated path traversal enabling arbitrary file write in a network-exposed component directly supports initial access via public app exploitation (T1190); the resulting file overwrites facilitate application/system DoS (T1499.004) as described by the availability impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

PyMuPDF
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of the path traversal and arbitrary file write flaw in PyMuPDF version 1.26.5.

prevent

Scans and monitors for vulnerabilities such as CVE-2026-3029 in system components like PyMuPDF to enable proactive remediation.

prevent

Validates inputs to block path traversal sequences that could exploit the vulnerable get function in PyMuPDF.

References