The vulnerability identified as CVE-2026-29780 affects the eml_parser Python module developed by GOVCERT-LU, specifically versions prior to 2.0.1. eml_parser is used to parse .eml email files and extract information including attachments. The vulnerability is a CWE-22 path traversal issue found in the official example script recursively_extract_attachments.py, which demonstrates how to recursively extract attachments from emails. The script directly uses attachment filenames from parsed emails to construct output file paths without any sanitization or validation. This allows an attacker to craft an email with malicious attachment filenames containing relative path components (e.g., ../) to escape the intended output directory and write files arbitrarily on the filesystem where the script runs. Such arbitrary file write can lead to overwriting critical files, potentially impacting system integrity. Exploitation requires that the vulnerable script processes attacker-controlled emails, implying user interaction or automated ingestion of malicious emails. The vulnerability does not directly impact confidentiality or availability but poses a significant integrity risk. The issue was publicly disclosed on March 7, 2026, and patched in eml_parser version 2.0.1. No known exploits in the wild have been reported to date. The CVSS v3.1 base score is 5.5, reflecting a local attack vector with low complexity, no privileges required, but requiring user interaction. The scope is unchanged as the vulnerability affects only the local system where the script runs.

The primary impact of this vulnerability is the potential for arbitrary file write on systems running vulnerable versions of eml_parser, particularly when using the example script or similar code that does not sanitize attachment filenames. This can lead to integrity violations such as overwriting configuration files, scripts, or other critical files, potentially enabling further attacks or system instability. Organizations that use eml_parser in automated email processing pipelines, malware analysis, or security tools that handle untrusted emails are at risk. While the vulnerability does not directly lead to remote code execution, it can be leveraged as a stepping stone for privilege escalation or persistence if combined with other vulnerabilities or misconfigurations. The requirement for user interaction or processing of attacker-controlled emails limits the attack surface but does not eliminate risk, especially in environments that automatically process emails or attachments. The lack of known exploits suggests limited current threat but patching is essential to prevent future abuse. Overall, the vulnerability poses a medium risk to organizations relying on vulnerable eml_parser versions for email parsing and attachment extraction.

To mitigate this vulnerability, organizations should immediately upgrade eml_parser to version 2.0.1 or later, where the path traversal issue has been patched. Review and avoid using the vulnerable example script recursively_extract_attachments.py in production or modify it to sanitize and validate all attachment filenames before writing to disk. Implement strict filename normalization and whitelist allowed characters to prevent directory traversal sequences. Run email parsing and attachment extraction processes with the least privileges necessary, ideally in isolated or sandboxed environments to limit potential damage from arbitrary file writes. Monitor file system changes in directories used for email attachment extraction to detect suspicious activity. Additionally, apply network and email security controls to reduce the likelihood of processing malicious emails, such as advanced email filtering, attachment scanning, and user awareness training. Regularly audit and update third-party libraries to incorporate security patches promptly.