Critical severity9.1NVD Advisory· Published Apr 7, 2026· Updated Apr 16, 2026

CVE-2026-39847

Description

Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__ paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg /__emmett__/../rsgi/handlers.py) to read arbitrary files outside the assets directory. This vulnerability is fixed in 2.8.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
emmettPyPI	>= 2.5.0, < 2.8.1	2.8.1

Affected products

Emmett/Emmett
cpe:2.3:a:emmett:emmett:*:*:*:*:*:*:*:*
Range: >=2.5.0,<2.8.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-pr46-2v3c-5356ghsaADVISORY
github.com/emmett-framework/emmett/security/advisories/GHSA-pr46-2v3c-5356nvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-39847ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000