CVE-2026-32274

High CVSS: 8.7

Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.

Vendor

Python

Product

Black

CWE

CWE-22

Yayın Tarihi

2026-03-12 20:16:06

Güncelleme

2026-03-18 14:12:39

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Black HIGH Python 2026

Referanslar

https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d https://github.com/psf/black/pull/5038 https://github.com/psf/black/releases/tag/26.3.1 https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m

Benzer Kayıtlar

Medium

CVE-2026-25645

Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a…

High

CVE-2026-31900

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action suppo…

High

CVE-2026-25990

Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a…

Medium

CVE-2025-12781

When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the…

High

CVE-2026-21441

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HT…

High

CVE-2025-66471

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API…