CVE-2026-29780
Last modified
CVE-2026-29780 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. EPSS estimates a 0.24% chance of exploitation in the next 30 days.
Description
eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory. This issue has been patched in version 2.0.1.
Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Govcert.Lu | Eml Parser | < 2.0.1 |
References
- https://github.com/GOVCERT-LU/eml_parser/issues/88Issue Tracking
- https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-389r-rccm-h3h5Exploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-29780?
How severe is CVE-2026-29780?
How do I fix CVE-2026-29780?
Are you affected by CVE-2026-29780?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST