2447111 – (CVE-2026-32274) CVE-2026-32274 black: Black: Arbitrary file writes from unsanitized user input in cache file name

Bug 2447111 (CVE-2026-32274) - CVE-2026-32274 black: Black: Arbitrary file writes from unsanitized user input in cache file name

Summary: CVE-2026-32274 black: Black: Arbitrary file writes from unsanitized user inpu...

Keywords:
Status:	NEW
Alias:	CVE-2026-32274
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-12 20:01 UTC by OSIDB Bzimport
Modified:	2026-03-12 23:10 UTC (History)
CC List:	40 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-12 20:01:46 UTC

Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.

Note You need to log in before you can comment on or make changes to this bug.

adudiak
anpicker
bparees
dfreiber
drow
dschmidt
erezende
fdeutsch
hasun
jburrell
jfula
jkoehler
jlanda
jmitchel
jowilson
jwong
kshier
ljawale
lphiri
luizcosta
nweather
nyancey
omaciel
ometelka
oramraz
pbohmill
ptisnovs
rbobbitt
simaishi
smcdonal
smullick
stcannon
stirabos
syedriko
teagle
thason
ttakamiy
vkumar
xdharmai
yguenane