{"id":"CVE-2021-40978","details":"The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information. NOTE: the vendor has disputed this as described in https://github.com/mkdocs/mkdocs/issues/2601.] and https://github.com/nisdn/CVE-2021-40978/issues/1","aliases":["GHSA-qh9q-34h6-hcv9","PYSEC-2021-878"],"modified":"2026-04-09T08:15:01.161030Z","published":"2021-10-07T14:15:08.280Z","references":[{"type":"ADVISORY","url":"https://github.com/mkdocs/mkdocs"},{"type":"REPORT","url":"https://github.com/mkdocs/mkdocs/issues/2601"},{"type":"REPORT","url":"https://github.com/nisdn/CVE-2021-40978/issues/1"},{"type":"EVIDENCE","url":"https://github.com/nisdn/CVE-2021-40978"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mkdocs/mkdocs","events":[{"introduced":"0"},{"last_affected":"52ed45a58cbec0d9860d13e5ac123d6fd14aeca6"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.2.2"}]}}],"versions":["0.11","0.12.0","0.12.1","0.13.0","0.13.1","0.13.2","0.14.0","0.15.0","0.15.1","0.15.2","0.15.3","0.16.3","0.17.0","0.17.1","0.17.2","0.2","0.3","0.4","0.5","0.6","0.7","0.8","0.9","1.0","1.0.1","1.0.2","1.0.3","1.0.4","1.0a1","1.0b1","1.0rc1","1.1","1.1.1","1.1.2","1.2","1.2.1","1.2.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-40978.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}