CVE-2026-39847
Published: 07 April 2026
Summary
CVE-2026-39847 is a critical-severity Path Traversal (CWE-22) vulnerability in Emmett Emmett. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-39847 is a path traversal vulnerability (CWE-22) in the Emmett full-stack Python web framework, affecting versions from 2.5.0 up to but not including 2.8.1. The flaw exists in the RSGI static handler responsible for serving internal assets under the /__emmett__ paths. Attackers can exploit this by injecting directory traversal sequences, such as ../, to access arbitrary files outside the designated assets directory. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), highlighting its critical severity due to high impacts on confidentiality and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. By sending crafted requests like /__emmett__/../rsgi/handlers.py, they can read sensitive files on the server, including potentially configuration data, source code, or other restricted resources accessible to the web server process.
The vulnerability has been fixed in Emmett version 2.8.1. Security practitioners are advised to upgrade affected installations to this version or later to mitigate the issue. Further details, including the patch and reproduction steps, are provided in the GitHub Security Advisory at https://github.com/emmett-framework/emmett/security/advisories/GHSA-pr46-2v3c-5356.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19974
Vulnerability details
Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__ paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg /__emmett__/../rsgi/handlers.py) to…
more
read arbitrary files outside the assets directory. This vulnerability is fixed in 2.8.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing web framework enables remote unauthenticated arbitrary file reads, directly mapping to T1190 for initial access and T1005 for local data collection.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of the path traversal flaw in Emmett versions 2.5.0 to 2.8.0 by upgrading to 2.8.1 or later.
SI-10 mandates validation of path inputs to the RSGI static handler to block directory traversal sequences like '../' from accessing arbitrary files.
SC-7 implements boundary protections such as web application firewalls to monitor and block crafted requests exploiting the /__emmett__ path traversal vulnerability.