Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
Emmett 2.5.0 to 2.8.1: Path Traversal in Web Framework Exposes Internal Files
CVE-2026-39847
GHSA-pr46-2v3c-5356
Summary
Emmett, a Python web framework, has a security weakness that allows attackers to access internal files. This means an attacker could potentially read sensitive information that should not be publicly accessible. Update to version 2.8.1 or later to fix this issue.
What to do
- Update emmett to version 2.8.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | emmett | > 2.5.0 , <= 2.8.1 | 2.8.1 |
Original title
Emmett has a path traversal in internal assets handler
Original description
The RSGI static handler for Emmett's internal assets (`/__emmett__` paths) is vulnerable to path traversal attacks.
An attacker can use `../` sequences (eg `/__emmett__/../rsgi/handlers.py`) to read arbitrary files outside the assets directory.
An attacker can use `../` sequences (eg `/__emmett__/../rsgi/handlers.py`) to read arbitrary files outside the assets directory.
nvd CVSS3.1
9.1
Vulnerability type
CWE-22
Path Traversal
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 7 Apr 2026