CVE-2026-29780
MEDIUM EPSS 14.6%
Published Mar 7, 20263mo ago · Modified Mar 11, 20263mo ago
5.5 CVSS 3.1
Published Mar 7, 2026 3mo ago
Last Modified Mar 11, 2026 3mo ago
Description
eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory. This issue has been patched in version 2.0.1.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity High
Availability None
Threat Intelligence
EPSS Exploit Probability
14.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-22 Path Traversal Resource Mgmt
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| govcert.lu | eml_parser | * | <2.0.1 |
References 3
- github.com https://github.com/GOVCERT-LU/eml_parser/commit/99af03a09a90aaaaadd0ed2ffb5eea46d1ea2cc9
- github.com https://github.com/GOVCERT-LU/eml_parser/issues/88
- github.com https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-389r-rccm-h3h5
Remediation
- github.com https://github.com/GOVCERT-LU/eml_parser/commit/99af03a09a90aaaaadd0ed2ffb5eea46d1ea2cc9