EUVD-2026-19974
GHSA-pr46-2v3c-5356
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
4Tags
Description
Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__ paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg /__emmett__/../rsgi/handlers.py) to read arbitrary files outside the assets directory. This vulnerability is fixed in 2.8.1.
Analysis
Path traversal in Emmett Python web framework versions 2.5.0 through 2.8.0 allows unauthenticated remote attackers to read arbitrary files from the server filesystem via malicious requests to the RSGI static handler endpoint. Attackers can bypass directory restrictions by inserting ../ sequences in /__emmett__ asset paths (e.g., /__emmett__/../rsgi/handlers.py) to access sensitive files including source code, configuration files, and credentials. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all production systems running Emmett versions 2.5.0-2.8.0 using asset inventory and dependency scanning tools. Within 7 days: Implement network-level access controls to restrict or disable the /__emmett__ endpoint at load balancers or WAF level; deploy request filtering to block patterns containing "../" in /__emmett__ paths. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today