Emmett, a full‑stack Python web framework, implements an internal assets handler accessible via the /__emmett__/ path. From versions 2.5.0 up to (but excluding) 2.8.1, this handler is susceptible to path traversal, allowing an attacker to include ‘../’ sequences in the request URL to read files outside the intended assets directory. The vulnerability is a classic file‑system traversal flaw, corresponding to CWE‑22, and can lead to arbitrary file reading, potentially exposing configuration files, source code, or other sensitive data. The assessed CVSS score of 9.1 reflects the significant impact on confidentiality, with no known requirement for local or privileged execution.

The affected product is the Emmett framework, versions between 2.5.0 and before 2.8.1. The flaw exists specifically in the RSGI static handler that serves internal assets under the /__emmett__/ paths. The issue was resolved in Emmett 2.8.1, so any installation still running an earlier release remains vulnerable.

With a CVSS score of 9.1, the vulnerability carries high severity. There is no EPSS score available, and the flaw is not listed in the CISA KEV catalog, but the path traversal can be exploited remotely by an unauthenticated attacker simply by constructing a crafted HTTP request to the vulnerable endpoint. Once the request is received, the server will resolve the traversal and return the requested file, making this a straightforward remote exploitation scenario.