{"id":"PYSEC-2026-59","details":"Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__ paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg /__emmett__/../rsgi/handlers.py) to read arbitrary files outside the assets directory. This vulnerability is fixed in 2.8.1.","aliases":["CVE-2026-39847","GHSA-pr46-2v3c-5356"],"modified":"2026-05-20T09:18:59.901003Z","published":"2026-04-07T22:16:23.793Z","references":[{"type":"ADVISORY","url":"https://github.com/emmett-framework/emmett/security/advisories/GHSA-pr46-2v3c-5356"}],"affected":[{"package":{"name":"emmett","ecosystem":"PyPI","purl":"pkg:pypi/emmett"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.5.0"},{"fixed":"2.8.1"}]}],"versions":["2.5.0","2.5.1","2.5.10","2.5.11","2.5.12","2.5.13","2.5.2","2.5.3","2.5.4","2.5.5","2.5.6","2.5.7","2.5.8","2.5.9","2.6.0","2.6.1","2.6.2","2.6.3","2.7.0","2.7.1","2.8.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/emmett/PYSEC-2026-59.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}