{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39847", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T19:13:20.378Z", "datePublished": "2026-04-07T21:37:54.760Z", "dateUpdated": "2026-04-08T15:35:40.853Z"}, "containers": {"cna": {"title": "Emmett has a path traversal in internal assets handler", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/emmett-framework/emmett/security/advisories/GHSA-pr46-2v3c-5356", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/emmett-framework/emmett/security/advisories/GHSA-pr46-2v3c-5356"}], "affected": [{"vendor": "emmett-framework", "product": "emmett", "versions": [{"version": ">= 2.5.0, < 2.8.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T21:37:54.760Z"}, "descriptions": [{"lang": "en", "value": "Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__ paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg /__emmett__/../rsgi/handlers.py) to read arbitrary files outside the assets directory. This vulnerability is fixed in 2.8.1."}], "source": {"advisory": "GHSA-pr46-2v3c-5356", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:33:34.667959Z", "id": "CVE-2026-39847", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:35:40.853Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39847", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T15:33:34.667959Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:33:46.937Z"}}], "cna": {"title": "Emmett has a path traversal in internal assets handler", "source": {"advisory": "GHSA-pr46-2v3c-5356", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "emmett-framework", "product": "emmett", "versions": [{"status": "affected", "version": ">= 2.5.0, < 2.8.1"}]}], "references": [{"url": "https://github.com/emmett-framework/emmett/security/advisories/GHSA-pr46-2v3c-5356", "name": "https://github.com/emmett-framework/emmett/security/advisories/GHSA-pr46-2v3c-5356", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__ paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg /__emmett__/../rsgi/handlers.py) to read arbitrary files outside the assets directory. This vulnerability is fixed in 2.8.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T21:37:54.760Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39847", "state": "PUBLISHED", "dateUpdated": "2026-04-08T15:35:40.853Z", "dateReserved": "2026-04-07T19:13:20.378Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T21:37:54.760Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:emmett:emmett:*:*:*:*:*:*:*:*", "matchCriteriaId": "82CB3A2E-E01B-4420-898F-517EE34E670F", "versionEndExcluding": "2.8.1", "versionStartIncluding": "2.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__ paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg /__emmett__/../rsgi/handlers.py) to read arbitrary files outside the assets directory. This vulnerability is fixed in 2.8.1."}], "id": "CVE-2026-39847", "lastModified": "2026-04-16T04:31:28.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-07T22:16:23.793", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/emmett-framework/emmett/security/advisories/GHSA-pr46-2v3c-5356"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.5.0,2.8.1)"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 82.0, "source": "matching"}]}, "original": {"product": "emmett", "source": "cna", "vendor": "emmett-framework"}, "product": "core", "vendor": "emmett-framework"}], "analysis": {"en": {"generated_at": "2026-04-07T23:46:13.062542+00:00", "value": {"mitigation_remediation": ["Upgrade Emmett to version 2.8.1 or newer", "Disable or restrict access to the /__emmett__/ internal assets URL in production environments", "Perform a quick audit of exposed files to ensure no sensitive data is accessible"], "summary": {"action": "Patch Immediately", "impact": "Data exposure"}, "threat_synthesis": {"affected_systems": "The affected product is the Emmett framework, versions between 2.5.0 and before 2.8.1. The flaw exists specifically in the RSGI static handler that serves internal assets under the /__emmett__/ paths. The issue was resolved in Emmett 2.8.1, so any installation still running an earlier release remains vulnerable.", "description_and_impact": "Emmett, a full\u2011stack Python web framework, implements an internal assets handler accessible via the /__emmett__/ path. From versions 2.5.0 up to (but excluding) 2.8.1, this handler is susceptible to path traversal, allowing an attacker to include \u2018../\u2019 sequences in the request URL to read files outside the intended assets directory. The vulnerability is a classic file\u2011system traversal flaw, corresponding to CWE\u201122, and can lead to arbitrary file reading, potentially exposing configuration files, source code, or other sensitive data. The assessed CVSS score of 9.1 reflects the significant impact on confidentiality, with no known requirement for local or privileged execution.", "risk_and_exploitability": "With a CVSS score of 9.1, the vulnerability carries high severity. There is no EPSS score available, and the flaw is not listed in the CISA KEV catalog, but the path traversal can be exploited remotely by an unauthenticated attacker simply by constructing a crafted HTTP request to the vulnerable endpoint. Once the request is received, the server will resolve the traversal and return the requested file, making this a straightforward remote exploitation scenario."}}}}, "created": "2026-04-08T19:45:27.041657+00:00", "updated": "2026-04-09T08:23:00.709232+00:00", "vendors": ["emmett-framework", "emmett-framework$PRODUCT$core"]}