CVE-2026-29780

Source
https://cve.org/CVERecord?id=CVE-2026-29780
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29780.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-29780
Aliases
Published
2026-03-07T15:22:43.645Z
Modified
2026-07-15T01:49:15.693843075Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
eml_parser: Path Traversal in Official Example Script Leading to Arbitrary File Write
Details

emlparser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursivelyextract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory. This issue has been patched in version 2.0.1.

Database specific
{
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29780.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/govcert-lu/eml_parser

Affected ranges

Type
GIT
Repo
https://github.com/govcert-lu/eml_parser
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:govcert.lu:eml_parser:*:*:*:*:*:python:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.0.1"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.5
v0.9
v1.*
v1.0
v1.1
v1.10
v1.11
v1.11.1
v1.11.2
v1.11.3
v1.11.4
v1.11.5
v1.11.6
v1.11.7
v1.12.0
v1.13.0
v1.14.0
v1.14.1
v1.14.2
v1.14.3
v1.14.4
v1.14.5
v1.14.6
v1.14.7
v1.14.8
v1.15.0
v1.16.0
v1.17.0
v1.17.1
v1.17.2
v1.17.3
v1.17.4
v1.17.5
v1.2
v1.4
v1.5
v1.6
v1.7
v1.8
v1.9
v2.*
v2.0.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29780.json"