CVE-2026-46338
MEDIUM Exploitation: PoC
4.3
CVSS 3.1
Description
PyMdown Extensions is a set of extensions for the Python-Markdown markdown project. From 10.0.1 until 10.21.3, pymdownx.snippets uses a string-prefix containment check in SnippetPreprocessor.get_snippet_path() in pymdownx/snippets.py when `restrict_base_path: True`, allowing markdown snippet directives to read files from sibling paths that share the same base_path prefix, such as docs and docs_internal. This is a regression of CVE-2023-32309. This issue is fixed in version 10.21.3.
Metadata
Severity & Metrics
4.3
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| facelessuser | pymdown-extensions | — | >= 10.0.1, < 10.21.3 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-22 | cna | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 4.3 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
References (3)
- https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-62q4-447f-wv8h https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-62q4-447f-wv8h
- https://github.com/facelessuser/pymdown-extensions/commit/63b7835776d703d6c339cf2110d9888f676efc0c https://github.com/facelessuser/pymdown-extensions/commit/63b7835776d703d6c339cf2110d9888f676efc0c
- https://github.com/facelessuser/pymdown-extensions/releases/tag/10.21.3 https://github.com/facelessuser/pymdown-extensions/releases/tag/10.21.3