Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
5.5

eml_parser: Malicious email attachments can write files outside target directory

GHSA-389r-rccm-h3h5 CVE-2026-29780 GHSA-389r-rccm-h3h5
Summary

A security issue in a script that comes with the eml_parser module allows an attacker to write files to any location on the computer. This happens because the script doesn't check the names of email attachments carefully enough. To fix this, update to version 2.0.1 of the eml_parser module.

What to do
  • Update eml-parser to version 2.0.1.
Affected software
VendorProductAffected versionsFix available
eml-parser <= 2.0.1 2.0.1
govcert.lu eml_parser <= 2.0.1
Original title
eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script...
Original description
eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory. This issue has been patched in version 2.0.1.
ghsa CVSS3.1 5.5
Vulnerability type
CWE-22 Path Traversal
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026