CVE

CVE-2026-32274

Black: Arbitrary file writes from unsanitized user input in cache file name

CVE

CVE-2026-32274

Black: Arbitrary file writes from unsanitized user input in cache file name

Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

8.7

4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Related Resources

No items found.

References

https://github.com/psf/black/releases/tag/26.3.1, https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32274.json, https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m, https://nvd.nist.gov/vuln/detail/CVE-2026-32274, https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d, https://github.com/psf/black/pull/5038

Severity

0

CVSS Score

Basic Information

Ecosystem

Base CVSS

EPSS Probability

0.00021%

EPSS Percentile

0.06013%

Introduced Version

Fix Available

c6755bb741b6481d6b3d3bb563c83fa060db96c9,0.16.0-r22,1.23.0-r0,2.7.0-r2,0.8.10-r1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2026-32274

CVE-2026-32274

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

0

Basic Information

Fix Critical Vulnerabilities Instantly