CVE-2026-32274

EUVD-2026-11698
Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
Affected Products (NVD)
VendorProductVersion
pythonblack
𝑥
< 26.3.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
black
bookworm
no-dsa
bullseye
postponed
forky
26.3.1-1
fixed
sid
26.3.1-1
fixed
trixie
25.1.0-3+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
black
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
Common Weakness Enumeration
References
https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d
https://github.com/psf/black/pull/5038
https://github.com/psf/black/releases/tag/26.3.1
https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m