What is the CVSS score of CVE-2026-29780?

CVE-2026-29780 has a CVSS 3.1 base score of 5.5 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Python are affected by CVE-2026-29780?

Organizations using the e-mail as well as computed information. should be aware of moderate risk from CVE-2026-29780, a path traversal vulnerability rated CVSS 5.5.. A patch is available.

Is there a public PoC exploit available for CVE-2026-29780?

Yes, a public proof-of-concept exploit is available for CVE-2026-29780. Prioritise patching immediately. EPSS: 0.0%.

Python CVE-2026-29780

MEDIUM

Path Traversal (CWE-22)

2026-03-07 security-advisories@github.com

GHSA-389r-rccm-h3h5

Python Path Traversal Eml Parser

5.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 11, 2026 - 22:02 vuln.today

Public exploit code

Patch released

Mar 11, 2026 - 22:02 nvd

Patch available

CVE Published

Mar 07, 2026 - 16:15 nvd

MEDIUM 5.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 pypi packages depend on eml-parser (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.0.1.

DescriptionNVD

eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory. This issue has been patched in version 2.0.1.

AnalysisAI

Unsanitized attachment filenames in eml_parser prior to version 2.0.1 enable path traversal attacks, allowing attackers to write files outside the intended output directory when the example extraction script processes malicious emails. Organizations using the vulnerable example code or similar attachment handling logic are at risk of unauthorized file writes that could overwrite critical files or introduce malicious content. …

RemediationAI

Within 30 days: Identify affected systems running the e-mail as well as computed information. and apply vendor patches as part of regular patch cycle. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-29780 vulnerability details – vuln.today

Back

Python CVE-2026-29780

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code