CVE-2026-39847
Received Received - Intake
Path Traversal in Emmett RSGI Static Handler Allows Arbitrary File Read

Publication date: 2026-04-07

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__ paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg /__emmett__/../rsgi/handlers.py) to read arbitrary files outside the assets directory. This vulnerability is fixed in 2.8.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39847
EUVD
EUVD-2026-19974
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
emmett emmett From 2.5.0 (inc) to 2.8.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Emmett full-stack Python web framework versions from 2.5.0 up to but not including 2.8.1. It involves the RSGI static handler responsible for serving Emmett's internal assets located under the /__emmett__ paths. The handler is vulnerable to path traversal attacks, which means an attacker can manipulate the URL by including sequences like ../ to access files outside the intended assets directory. For example, an attacker could request /__emmett__/../rsgi/handlers.py to read arbitrary files on the server.

Impact Analysis

This vulnerability can have serious impacts because it allows an attacker to read arbitrary files on the server hosting the Emmett application. This could lead to exposure of sensitive information such as configuration files, source code, credentials, or other private data. The CVSS score of 9.1 indicates a high severity, with the potential for complete confidentiality loss and partial availability impact, meaning the attacker can access sensitive data without any privileges or user interaction.

Mitigation Strategies

To mitigate this vulnerability, upgrade Emmett to version 2.8.1 or later, where the path traversal issue in the RSGI static handler has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39847. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart