CVE-2026-29780

MEDIUM

eml-parser < 2.0.1 - Path Traversal and Arbitrary File Write via Unsanitized Attachment Filename

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-29780. PoCs published by XiaomingX, redyank.

AI-analyzed exploit summary The repository contains only a minimal README with the CVE ID and a brief mention of 'eml-parser' but no exploit code, technical details, or functional proof-of-concept.

Description

eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory. This issue has been patched in version 2.0.1.

Exploits (2)

github STUB 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-29780

View Code ZIP pw:eip

The repository contains only a minimal README with the CVE ID and a brief mention of 'eml-parser' but no exploit code, technical details, or functional proof-of-concept.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown (eml-parser)

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 11, 2026 Full analysis →

nomisec STUB

by redyank · poc

https://github.com/redyank/CVE-2026-29780

View Code ZIP pw:eip

The repository contains only a minimal README with a CVE identifier and a brief mention of 'eml-parser' but no exploit code, technical details, or functional content.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown (eml-parser implied)

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 10, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-389r-rccm-h3h5

Issue Tracking x_refsource_misc

https://github.com/GOVCERT-LU/eml_parser/issues/88

Patch x_refsource_misc

https://github.com/GOVCERT-LU/eml_parser/commit/99af03a09a90aaaaadd0ed2ffb5eea46d1ea2cc9

View Patch ZIP pw:eip

Scores

CVSS v3 5.5

EPSS 0.0001

EPSS Percentile 0.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

govcert.lu/eml_parser < 2.0.1

pypi/eml-parser 0 - 2.0.1PyPI

Published Mar 07, 2026

Tracked Since Mar 07, 2026