CVE-2026-29780
MEDIUM
GHSA-389r-rccm-h3h5
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
4Description
eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory. This issue has been patched in version 2.0.1.
Analysis
Unsanitized attachment filenames in eml_parser prior to version 2.0.1 enable path traversal attacks, allowing attackers to write files outside the intended output directory when the example extraction script processes malicious emails. Organizations using the vulnerable example code or similar attachment handling logic are at risk of unauthorized file writes that could overwrite critical files or introduce malicious content. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running the e-mail as well as computed information. and apply vendor patches as part of regular patch cycle. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today