CVE-2026-3029: PyMuPDF has a path traversal in _main_.py

March 19, 2026

A path traversal and arbitrary file write vulnerability exist in the embedded get function in ‘main.py’ in PyMuPDF version, 1.26.5.

References

github.com/advisories/GHSA-cxqh-p2w9-fmr7
github.com/pymupdf/PyMuPDF
nvd.nist.gov/vuln/detail/CVE-2026-3029
www.kb.cert.org/vuls/id/504749

Code Behaviors & Features

Detect and mitigate CVE-2026-3029 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →