PYSEC-2026-59

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/emmett/PYSEC-2026-59.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-59

Aliases

CVE-2026-39847
GHSA-pr46-2v3c-5356

Published

2026-04-07T22:16:23.793Z

Modified

2026-05-20T09:18:59.901003Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/emmett paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg /emmett/../rsgi/handlers.py) to read arbitrary files outside the assets directory. This vulnerability is fixed in 2.8.1.

References

https://github.com/emmett-framework/emmett/security/advisories/GHSA-pr46-2v3c-5356

Affected packages

PyPI / emmett

Package

Name: emmett; View open source insights on deps.dev
Purl: pkg:pypi/emmett

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.5.0

Fixed

2.8.1

Affected versions

2.*

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.5.9

2.5.10

2.5.11

2.5.12

2.5.13

2.6.0

2.6.1

2.6.2

2.6.3

2.7.0

2.7.1

2.8.0

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/emmett/PYSEC-2026-59.yaml"