CVE-2026-32274
HIGH7.5EPSS 0.02%Black: Arbitrary file writes from unsanitized user input in cache file name
Published: 3/12/2026Modified: 3/16/2026
Description
### Impact Black writes a cache file, the name of which is computed from various formatting options. The value of the `--python-cell-magics` option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. ### Patches Fixed in Black 26.3.1. ### Workarounds Do not allow untrusted user input into the value of the `--python-cell-magics` option.
Affected packages (2)
- Debian/blackfrom 0
- PyPI/blackfrom 0, < 26.3.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32274
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-32274
- PATCHhttps://github.com/psf/black
- WEBhttps://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d
- WEBhttps://github.com/psf/black/pull/5038
- WEBhttps://github.com/psf/black/releases/tag/26.3.1
- WEBhttps://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m