CVE-2026-46338
4.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Summary
PyMdown Extensions is a set of extensions for the Python-Markdown markdown project. From 10.0.1 until 10.21.3, pymdownx.snippets uses a string-prefix containment check in SnippetPreprocessor.get_snippet_path() in pymdownx/snippets.py when restrict_base_path: True, allowing markdown snippet directives to read files from sibling paths that share the same base_path prefix, such as docs and docs_internal. This is a regression of CVE-2023-32309. This issue is fixed in version 10.21.3.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| facelessuser | pymdown-extensions | >= 10.0.1, < 10.21.3 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
References
- https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-62q4-447f-wv8h
- https://github.com/facelessuser/pymdown-extensions/commit/63b7835776d703d6c339cf2110d9888f676efc0c
- https://github.com/facelessuser/pymdown-extensions/releases/tag/10.21.3
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.