CVE-2026-29780
Received Received - Intake
Path Traversal in eml_parser Attachment Extraction Allows Arbitrary File Write

Publication date: 2026-03-07

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory. This issue has been patched in version 2.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29780
EUVD
EUVD-2026-10153
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
govcert.lu eml_parser to 2.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-29780 is a path traversal vulnerability found in the official example script `examples/recursively_extract_attachments.py` of the eml-parser Python package versions prior to 2.0.1.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the script uses attachment filenames extracted from parsed emails directly to create output file paths without any sanitization or validation.'}, {'type': 'paragraph', 'content': 'An attacker can craft an email with a malicious attachment filename containing path traversal sequences (e.g., "../outside/pwned.txt") that allows writing files outside the intended output directory.'}, {'type': 'paragraph', 'content': 'This means the attacker-controlled filename can escape the target directory and write arbitrary files anywhere on the filesystem accessible by the script.'}, {'type': 'paragraph', 'content': 'The issue has been fixed in version 2.0.1 by sanitizing filenames and verifying that output paths remain within the intended directory.'}] [1]

Impact Analysis

This vulnerability allows an attacker to write arbitrary files outside the intended output directory when running the vulnerable example script.

Potential impacts include attackers placing malicious files such as cron jobs, web shells, or SSH authorized keys on the system.

  • Injection of cron jobs (e.g., writing to /etc/cron.d/backdoor)
  • Uploading web shells to web server directories (e.g., /var/www/html/shell.php)
  • Adding SSH keys to authorized_keys files (e.g., /home/user/.ssh/authorized_keys)

Such actions could lead to unauthorized code execution or persistent access on the affected system.

However, the vulnerability is limited to the example script and does not affect the core eml-parser library.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by examining if the example script `examples/recursively_extract_attachments.py` from the eml_parser package is used and whether it processes email attachments without sanitizing filenames. Specifically, look for usage of the script that writes attachments using filenames directly from the email without path normalization or validation.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts or presence of the vulnerability, you can search your filesystem or logs for files written outside the intended output directory, especially files with suspicious path traversal patterns like '../' in filenames."}, {'type': 'list_item', 'content': 'Check if the vulnerable script is present and used: `ls examples/recursively_extract_attachments.py`'}, {'type': 'list_item', 'content': "Search for files created outside the expected output directory, for example: `find /path/to/output/parent -type f -name '*pwned.txt'` or `find / -path '*outside/pwned.txt'`"}, {'type': 'list_item', 'content': "Inspect recent files created with suspicious names: `find / -type f -name '*../*'` (though this may not match due to shell expansion, so check logs or script usage)"}, {'type': 'list_item', 'content': 'Review usage of the script and check if filenames are sanitized in the code (look for absence of `os.path.basename()` or path resolution checks).'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade the eml_parser package to version 2.0.1 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, modify the example script `examples/recursively_extract_attachments.py` to sanitize attachment filenames before writing them to disk. This includes using `os.path.basename()` to strip directory components from filenames and verifying that the resolved output path is within the intended directory.'}, {'type': 'paragraph', 'content': 'Specifically, implement code similar to the following to prevent path traversal:'}, {'type': 'list_item', 'content': "Use `filename = os.path.basename(a['filename'])` to sanitize filenames."}, {'type': 'list_item', 'content': 'Check that the resolved output path is inside the intended directory before writing files.'}, {'type': 'paragraph', 'content': 'Additionally, review any adaptations of the example script in your environment to ensure they incorporate these fixes.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29780. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart