Vulnerability DatabaseCVE-2026-32274
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-32274
March 12, 2026
Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.
Affected Packages
black (CONDA):
Affected version(s) >=18.4a4 <26.3.1
Fix Suggestion:
Update to version 26.3.1
black (PYTHON):
Affected version(s) >=18.3a0 <26.3.1
Fix Suggestion:
Update to version 26.3.1
Related Resources (6)
https://github.com/psf/black/releases/tag/26.3.1
https://github.com/psf/black/pull/5038
https://nvd.nist.gov/vuln/detail/CVE-2026-32274
https://github.com/psf/black
https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m
https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22
EPSS
Base Score:
0.02