CVE-2025-53000

UNKNOWN 0.0

nbconvert has an uncontrolled search path that leads to unauthorized code execution on Windows

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions of nbconvert up to and including 7.16.6 on Windows have a vulnerability in which converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a `inkscape.bat` file that defines a Windows batch script, capable of arbitrary code execution. When a user runs `jupyter nbconvert --to pdf` on a notebook containing SVG output to a PDF on a Windows platform from this directory, the `inkscape.bat` file is run unexpectedly. This issue has been patched in version 7.17.0.

CWE	CWE-427
Vendor	jupyter
Product	nbconvert
Published	Dec 17, 2025
Last Updated	Feb 18, 2026

Stay Ahead of the Next One

Get instant alerts for jupyter nbconvert

Be the first to know when new unknown vulnerabilities affecting jupyter nbconvert are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

jupyter / nbconvert

< 7.17.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/jupyter/nbconvert/security/advisories/GHSA-xm59-rqc7-hhvf github.com: https://github.com/jupyter/nbconvert/issues/2258 github.com: https://github.com/jupyter/nbconvert/commit/c9ac1d1040459ed1ff9eb34e9918ce5a87cf9d71 github.com: https://github.com/jupyter/nbconvert/blob/4f61702f5c7524d8a3c4ac0d5fc33a6ac2fa36a7/nbconvert/preprocessors/svg2pdf.py#L104 github.com: https://github.com/jupyter/nbconvert/releases/tag/v7.17.0 imperva.com: https://www.imperva.com/blog/code-execution-in-jupyter-notebook-exports