CRITICAL🇵🇱 Wersja polska

CVE-2026-27641

CVSS 9.8v3.1pub. 2026-02-25upd. 2026-02-27

Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used.

🤖 AI Analysis
How it works

An attacker can pass crafted input to the `name` parameter during file upload. The library does not properly validate this value, which allows for path traversal — saving a file in any location on the server outside the intended target directory. At the same time, it is possible to bypass file extension controls, and through SSTI the attacker can trigger execution of malicious code on the server side.

Impact

An attacker can write any file to a selected location on the server and execute remote code (RCE) on it, which can lead to complete system takeover, disclosure of sensitive data, or compromise of data integrity.

Mitigation & patch

Flask-Reuploaded should be updated to version 1.5.0, in which the vulnerability has been fixed. As a temporary workaround: user input should not be passed to the `name` parameter — instead, only auto-generated file names should be used; if use of the `name` parameter is necessary, strict input validation should be implemented.

Who is affected

All versions of the Jugmac00 Flask-Reuploaded library before version 1.5.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Jugmac00 Flask Reuploaded

    APP
    Jugmac00
    < 1.5.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References