CVE-2026-3029
Published: 19 March 2026
Summary
CVE-2026-3029 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-3029 is a path traversal and arbitrary file write vulnerability in the embedded get function within '_main_.py' of PyMuPDF version 1.26.5. Published on 2026-03-19T16:16:04.297, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for significant availability disruption.
Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By leveraging the path traversal flaw in the get function, they can achieve arbitrary file writes, resulting in high impact to system availability such as denial of service.
Mitigation is addressed in the PyMuPDF GitHub repository, specifically via commit 603cafe38a183b8bab34f16d05043b4185d8d40a. Additional details are available in the CERT advisory at https://www.kb.cert.org/vuls/id/504749 and the project repository at http://github.com/pymupdf/PyMuPDF.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13117
Vulnerability details
A path traversal and arbitrary file write vulnerability exist in the embedded get function in '_main_.py' in PyMuPDF version, 1.26.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated path traversal enabling arbitrary file write in a network-exposed component directly supports initial access via public app exploitation (T1190); the resulting file overwrites facilitate application/system DoS (T1499.004) as described by the availability impact.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and correction of the path traversal and arbitrary file write flaw in PyMuPDF version 1.26.5.
Scans and monitors for vulnerabilities such as CVE-2026-3029 in system components like PyMuPDF to enable proactive remediation.
Validates inputs to block path traversal sequences that could exploit the vulnerable get function in PyMuPDF.