GHSA-gm8q-m8mv-jj5m

Suggest an improvement
Source
https://github.com/advisories/GHSA-gm8q-m8mv-jj5m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-gm8q-m8mv-jj5m/GHSA-gm8q-m8mv-jj5m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gm8q-m8mv-jj5m
Aliases
Published
2026-02-03T17:43:56Z
Modified
2026-02-04T20:12:06.097454Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write
Details

A Path Traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments.

## Impact An attacker can craft a malicious .msg file with attachment filenames containing path traversal sequences (e.g., ../../../etc/cron.d/malicious). When processed with process_attachments=True, the library writes the attachment to an attacker-controlled path, potentially leading to:

  • Arbitrary file overwrite
  • Remote code execution (via overwriting configuration files, cron jobs, or Python packages)
  • Data corruption

  • Denial of service

    Affected Functionality

    The vulnerability affects the MSG file partitioning functionality when process_attachments=True is enabled.

    Vulnerability Details

    The library does not sanitize attachment filenames in MSG files before using them in file write operations, allowing directory traversal sequences to escape the intended output directory.

    Workarounds

    Until patched, users can:

  • Set process_attachments=False when processing untrusted MSG files
  • Avoid processing MSG files from untrusted sources
  • Implement additional filename validation before processing
Database specific 
{
    "cwe_ids": [
        "CWE-22",
        "CWE-73"
    ],
    "github_reviewed_at": "2026-02-03T17:43:56Z",
    "nvd_published_at": "2026-02-04T18:16:07Z",
    "severity": "CRITICAL",
    "github_reviewed": true
}
References

Affected packages

PyPI / unstructured

Package

Name
unstructured
View open source insights on deps.dev
Purl
pkg:pypi/unstructured

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.18.18

Affected versions

0.*
0.0.1.dev0
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6.dev1
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.6
0.4.7
0.4.8
0.4.9
0.4.10
0.4.11
0.4.12
0.4.13
0.4.14
0.4.15
0.4.16
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.6
0.5.7
0.5.8
0.5.9
0.5.10
0.5.11
0.5.12
0.5.13
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.6.10
0.6.11
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9
0.7.10
0.7.11
0.7.12
0.8.0
0.8.1
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.10.2
0.10.4
0.10.5
0.10.6
0.10.7
0.10.8
0.10.9
0.10.10
0.10.11
0.10.12
0.10.13
0.10.14
0.10.15
0.10.16
0.10.18
0.10.19.dev18
0.10.19
0.10.20
0.10.21
0.10.22
0.10.23
0.10.24
0.10.25
0.10.26
0.10.27
0.10.28
0.10.29
0.10.30
0.11.0
0.11.1
0.11.2
0.11.4
0.11.5
0.11.6
0.11.7
0.11.8
0.12.0
0.12.2
0.12.3
0.12.4
0.12.5
0.12.6
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.13.6
0.13.7
0.14.0
0.14.2.dev1
0.14.2
0.14.3
0.14.4
0.14.5
0.14.6
0.14.7
0.14.8
0.14.9
0.14.10
0.15.0
0.15.1
0.15.3
0.15.5
0.15.6
0.15.7
0.15.8
0.15.9
0.15.10
0.15.12
0.15.13
0.15.14
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.16.5
0.16.6
0.16.7
0.16.8
0.16.9
0.16.10
0.16.11
0.16.12
0.16.13
0.16.14
0.16.15
0.16.16
0.16.17
0.16.19
0.16.20
0.16.21
0.16.22
0.16.23
0.16.24
0.16.25
0.17.0
0.17.2
0.18.1
0.18.2
0.18.3
0.18.5
0.18.6
0.18.7
0.18.9
0.18.11
0.18.13
0.18.14
0.18.15

Database specific

last_known_affected_version_range 
"<= 0.18.17"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-gm8q-m8mv-jj5m/GHSA-gm8q-m8mv-jj5m.json"