Description
eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory. This issue has been patched in version 2.0.1.
Published: 2026-03-07
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write via Path Traversal
Action: Patch Now
AI Analysis

Impact

A path traversal flaw in the official example script of eml_parser allows an attacker to supply a crafted attachment filename that writes data outside the intended output directory, enabling overwriting arbitrary files or creating files in unauthorized locations.

Affected Systems

This vulnerability affects the GOVCERT‑LU eml_parser package prior to version 2.0.1; the insecure example script tests attachments without sanitizing filenames.

Risk and Exploitability

The vulnerability scores a moderate CVSS 5.5 and has an EPSS of less than 1%, indicating a low probability of exploitation. It is not listed in the CISA KEV catalog, and exploitation requires a user to execute the example script or for a malicious email to be processed by it, which limits the attack surface.

Generated by OpenCVE AI on April 16, 2026 at 10:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade eml_parser to version 2.0.1 or later where the path traversal fix is applied.
  • If upgrade is not immediately possible, modify or replace the example script to sanitize attachment filenames before constructing file paths, ensuring they cannot escape the target directory.
  • Disable or remove the example script from untrusted or production environments and restrict the processing of external emails to trusted sources only.

Generated by OpenCVE AI on April 16, 2026 at 10:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-389r-rccm-h3h5 eml_parser: Path Traversal in Official Example Script Leads to Arbitrary File Write
History

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Govcert.lu
Govcert.lu eml Parser
CPEs cpe:2.3:a:govcert.lu:eml_parser:*:*:*:*:*:python:*:*
Vendors & Products Govcert.lu
Govcert.lu eml Parser

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Govcert-lu
Govcert-lu eml Parser
Vendors & Products Govcert-lu
Govcert-lu eml Parser

Sat, 07 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory. This issue has been patched in version 2.0.1.
Title eml_parser: Path Traversal in Official Example Script Leading to Arbitrary File Write
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Govcert-lu Eml Parser
Govcert.lu Eml Parser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T18:26:58.485Z

Reserved: 2026-03-04T16:26:02.898Z

Link: CVE-2026-29780

cve-icon Vulnrichment

Updated: 2026-03-09T17:52:37.702Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T16:15:55.113

Modified: 2026-03-11T22:02:41.573

Link: CVE-2026-29780

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:00:10Z

Weaknesses