Cyber Resilience

CVE-2026-39847

Critical

Published: 07 April 2026

Published
07 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0050 38.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-39847 is a critical-severity Path Traversal (CWE-22) vulnerability in Emmett Emmett. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-39847 is a path traversal vulnerability (CWE-22) in the Emmett full-stack Python web framework, affecting versions from 2.5.0 up to but not including 2.8.1. The flaw exists in the RSGI static handler responsible for serving internal assets under the /__emmett__ paths. Attackers can exploit this by injecting directory traversal sequences, such as ../, to access arbitrary files outside the designated assets directory. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), highlighting its critical severity due to high impacts on confidentiality and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. By sending crafted requests like /__emmett__/../rsgi/handlers.py, they can read sensitive files on the server, including potentially configuration data, source code, or other restricted resources accessible to the web server process.

The vulnerability has been fixed in Emmett version 2.8.1. Security practitioners are advised to upgrade affected installations to this version or later to mitigate the issue. Further details, including the patch and reproduction steps, are provided in the GitHub Security Advisory at https://github.com/emmett-framework/emmett/security/advisories/GHSA-pr46-2v3c-5356.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__ paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg /__emmett__/../rsgi/handlers.py) to…

more

read arbitrary files outside the assets directory. This vulnerability is fixed in 2.8.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing web framework enables remote unauthenticated arbitrary file reads, directly mapping to T1190 for initial access and T1005 for local data collection.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66687Shared CWE-22
CVE-2025-26753Shared CWE-22
CVE-2025-44177Shared CWE-22
CVE-2023-42226Shared CWE-22
CVE-2026-39859Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2026-23939Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2025-69411Shared CWE-22

Affected Assets

emmett
emmett
2.5.0 — 2.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of the path traversal flaw in Emmett versions 2.5.0 to 2.8.0 by upgrading to 2.8.1 or later.

prevent

SI-10 mandates validation of path inputs to the RSGI static handler to block directory traversal sequences like '../' from accessing arbitrary files.

preventdetect

SC-7 implements boundary protections such as web application firewalls to monitor and block crafted requests exploiting the /__emmett__ path traversal vulnerability.

References