CVE-2026-27641
Received Received - Intake
Path Traversal and SSTI in Flask-Reuploaded Allows RCE

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27641
EUVD
EUVD-2026-8616
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jugmac00 flask-reuploaded to 1.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27641 is a critical vulnerability in the Flask-Reuploaded Python package that allows remote attackers to perform arbitrary file writes and remote code execution. This happens due to a path traversal and file extension bypass flaw combined with Server-Side Template Injection (SSTI). Attackers can exploit this by manipulating the filename parameter to write files outside the intended upload directory and bypass file extension restrictions.

The vulnerability arises because the application does not properly sanitize or validate the filename input, allowing malicious paths or extensions to be used. This can lead to attackers uploading files that execute code on the server.

The issue was fixed in version 1.5.0 by applying strict sanitization using functions like secure_filename(), re-validating file extensions after renaming, enforcing that files remain within the designated upload folder, and adding security regression tests.

Impact Analysis

This vulnerability can have severe impacts including full remote code execution on the affected server without requiring any privileges or user interaction.

  • Attackers can write arbitrary files to any location on the server filesystem.
  • They can bypass file extension restrictions to upload malicious scripts.
  • Successful exploitation can compromise confidentiality, integrity, and availability of the system.
  • It can lead to unauthorized access, data breaches, service disruption, and full system compromise.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate CVE-2026-27641, immediately upgrade Flask-Reuploaded to version 1.5.0 or later, where the vulnerability is patched.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, do not pass user input directly to the filename (`name`) parameter when saving files. Instead, use auto-generated filenames or strictly validate and sanitize any user input.'}, {'type': 'paragraph', 'content': 'Recommended mitigation practices include:'}, {'type': 'list_item', 'content': "Use Werkzeug's `secure_filename()` function to sanitize filenames and remove unsafe characters."}, {'type': 'list_item', 'content': 'Remove any path separators by applying `os.path.basename()` to the sanitized filename.'}, {'type': 'list_item', 'content': 'Validate the file extension against an allowed list before saving to prevent extension bypass.'}, {'type': 'paragraph', 'content': 'An example mitigation snippet is:'}, {'type': 'paragraph', 'content': "```python\nfrom werkzeug.utils import secure_filename\nimport os\nsafe_name = secure_filename(request.form.get('custom_name'))\nsafe_name = os.path.basename(safe_name)\nif not photos.extension_allowed(photos.get_extension(safe_name)):\n abort(400)\nfilename = photos.save(file, name=safe_name)\n```"}, {'type': 'paragraph', 'content': 'Additionally, ensure that uploaded files are strictly contained within the designated upload directory to prevent path traversal attacks.'}] [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27641. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart