DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-39847: CVE-2026-39847: Critical Path Traversal in Emmett RSGI Static Handler

#security #cve #cybersecurity

CVE-2026-39847: Critical Path Traversal in Emmett RSGI Static Handler

Vulnerability ID: CVE-2026-39847
CVSS Score: 9.1
Published: 2026-04-08

The Emmett Python web framework contains a critical path traversal vulnerability in its RSGI static asset handler. Versions 2.5.0 through 2.8.0 fail to sanitize file paths passed to the internal /emmett/ routing prefix, allowing unauthenticated remote attackers to read arbitrary files from the server filesystem.

TL;DR

Unauthenticated remote attackers can read arbitrary local files via a path traversal flaw in Emmett's internal static asset handler (/emmett/). Upgrading to version 2.8.1 resolves the issue.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network (Remote)
  • CVSS v3.1 Score: 9.1 (Critical)
  • Impact: High Confidentiality, High Availability
  • Exploit Status: Proof of Concept Available
  • CISA KEV Status: Not Listed

Affected Systems

  • Emmett Framework versions 2.5.0 through 2.8.0
  • Emmett: >= 2.5.0, < 2.8.1 (Fixed in: 2.8.1)

Code Analysis

Commit: 1c0cc24

Security logic patch addressing path traversal in RSGI static handler

Introduces os.path.realpath and .startswith() checks for static asset validation
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Security Advisories: Proof of Concept outlined in the official vulnerability disclosure report.

Mitigation Strategies

  • Upgrade Emmett framework to patched version 2.8.1.
  • Deploy reverse proxy rules blocking ../ or %2e%2e in /__emmett__/ routes.
  • Implement generic WAF rules targeting path traversal anomalies.

Remediation Steps:

  1. Verify the installed version of Emmett using pip show emmett.
  2. If the version is between 2.5.0 and 2.8.0, upgrade the package via pip install --upgrade emmett.
  3. Restart the application processes and web servers hosting the Emmett application.
  4. Verify the application functions correctly and test the /__emmett__/ route to ensure it returns a 404 for traversal attempts.

References

Read the full report for CVE-2026-39847 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)