An update for python-nbconvert is now available for openEuler-24.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2196 Final 1.0 1.0 2026-05-03 Initial 2026-05-03 2026-05-03 openEuler SA Tool V1.0 2026-05-03 python-nbconvert security update An update for python-nbconvert is now available for openEuler-24.03-LTS-SP3 The nbconvert tool, jupyter nbconvert, converts notebooks to various other formats via Jinja templates. The nbconvert tool allows you to convert an .ipynb notebook file into various static formats including HTML, LaTeX, PDF, Reveal JS, Markdown (md), ReStructured Text (rst) and executable script. Security Fix(es): The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The `ExtractAttachmentsPreprocessor` passes attachment filenames directly to the filesystem without sanitization, enabling path traversal attacks. This vulnerability provides complete control over both the destination path and file extension. Version 7.17.1 contains a patch.(CVE-2026-39377) The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when `HTMLExporter.embed_images=True`, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML. nbconvert 7.17.1 contains a fix. As a workaround, do not enable `HTMLExporter.embed_images`; it is not enabled by default.(CVE-2026-39378) An update for python-nbconvert is now available for master/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3/openEuler-24.03-LTS-SP4. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium python-nbconvert https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2196 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-39377 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-39378 https://nvd.nist.gov/vuln/detail/CVE-2026-39377 https://nvd.nist.gov/vuln/detail/CVE-2026-39378 openEuler-24.03-LTS-SP3 python-nbconvert-7.17.1-1.oe2403sp3.src.rpm python3-nbconvert-7.17.1-1.oe2403sp3.noarch.rpm The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The `ExtractAttachmentsPreprocessor` passes attachment filenames directly to the filesystem without sanitization, enabling path traversal attacks. This vulnerability provides complete control over both the destination path and file extension. Version 7.17.1 contains a patch. 2026-05-03 CVE-2026-39377 openEuler-24.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N python-nbconvert security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2196 The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when `HTMLExporter.embed_images=True`, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML. nbconvert 7.17.1 contains a fix. As a workaround, do not enable `HTMLExporter.embed_images`; it is not enabled by default. 2026-05-03 CVE-2026-39378 openEuler-24.03-LTS-SP3 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N python-nbconvert security update 2026-05-03 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2196