CVE-2026-29780: eml_parser: Path Traversal in Official Example Script Leads to Arbitrary File Write
(updated )
The official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory.
References
- github.com/GOVCERT-LU/eml_parser
- github.com/GOVCERT-LU/eml_parser/commit/99af03a09a90aaaaadd0ed2ffb5eea46d1ea2cc9
- github.com/GOVCERT-LU/eml_parser/issues/88
- github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-389r-rccm-h3h5
- github.com/advisories/GHSA-389r-rccm-h3h5
- nvd.nist.gov/vuln/detail/CVE-2026-29780
Code Behaviors & Features
Detect and mitigate CVE-2026-29780 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →