CVE-2026-27641
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection
描述
### Impact A critical path traversal and extension bypass vulnerability in Flask-Reuploaded allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). ### Patches Flask-Reuploaded has been patched in version 1.5.0 ### Workarounds 1. **Do not pass user input to the `name` parameter** 2. Use auto-generated filenames only 3. Implement strict input validation if `name` must be used ```python from werkzeug.utils import secure_filename import os # Sanitize user input before passing to save() safe_name = secure_filename(request.form.get('custom_name')) # Remove path separators safe_name = os.path.basename(safe_name) # Validate extension matches policy if not photos.extension_allowed(photos.get_extension(safe_name)): abort(400) filename = photos.save(file, name=safe_name) ``` ### Resources The fix is documented in the pull request, see https://github.com/jugmac00/flask-reuploaded/pull/180. A proper write-up was created by the reporter of the vulnerability, Jaron Cabral (https://www.linkedin.com/in/jaron-cabral-751994357/), but is not yet available as of time of this publication.
如何修補 CVE-2026-27641
要修補 CVE-2026-27641,請將受影響套件升級到下列已修補版本。
- —升級至 1.5.0 或更新版本
CVE-2026-27641 正在被利用嗎?
低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 1.5.0
CVSS 分數
| 來源 | 版本 |
|---|