← voltar
CVE-2026-32274

Black: Arbitrary file writes from unsanitized user input in cache file name

CVSS 8.7 HIGHEPSS 0.4%CWE-22
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 8.7EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
12 mar 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Produtos afetados
psf · black

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909dhttps://github.com/psf/black/pull/5038https://github.com/psf/black/releases/tag/26.3.1https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m