← Back to feed
Security patch:
[MODERATE] GHSA-62q4-447f-wv8h: Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite restrict_base_path
GitHub Security Advisory·Security·SecurityFix·5/19/2026
# Summary `pymdownx.snippets` has a regression of the CVE-2023-32309 / GHSA-jh85-wwv9-24hv fix. With `restrict_base_path: True` (the default), the current `filename.startswith(base)` containment check does not enforce a directory boundary. As a result, a markdown snippet directive can read files fr
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
pymdown-extensionspython
View original source ↗Source payload preview
{
"ghsaId": "GHSA-62q4-447f-wv8h",
"summary": "Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite restrict_base_path",
"severity": "MODERATE",
"updatedAt": "2026-05-19T20:00:30Z",
"references": [
{
"url": "https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-62q4-447f-wv8h"
},
{
"url": "https://github.com/facelessuser/pymdown-extensions/pull/2039"
},
{
"url": "https://github.com/advisories/GHSA-62q4-447f-wv8h"
}
],
"description": "# Summary\n\n`pymdownx.snippets` has a regression of the CVE-2023-32309 / GHSA-jh85-wwv9-24hv fix. With `restrict_base_path: True` (the default), the current `filename.startswith(base)` containment check does not enforce a directory boundary. As a
…