CVE-2026-27641
Path Traversal and SSTI in Flask-Reuploaded Allows RCE
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jugmac00 | flask-reuploaded | to 1.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27641 is a critical vulnerability in the Flask-Reuploaded Python package that allows remote attackers to perform arbitrary file writes and remote code execution. This happens due to a path traversal and file extension bypass flaw combined with Server-Side Template Injection (SSTI). Attackers can exploit this by manipulating the filename parameter to write files outside the intended upload directory and bypass file extension restrictions.
The vulnerability arises because the application does not properly sanitize or validate the filename input, allowing malicious paths or extensions to be used. This can lead to attackers uploading files that execute code on the server.
The issue was fixed in version 1.5.0 by applying strict sanitization using functions like secure_filename(), re-validating file extensions after renaming, enforcing that files remain within the designated upload folder, and adding security regression tests.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full remote code execution on the affected server without requiring any privileges or user interaction.
- Attackers can write arbitrary files to any location on the server filesystem.
- They can bypass file extension restrictions to upload malicious scripts.
- Successful exploitation can compromise confidentiality, integrity, and availability of the system.
- It can lead to unauthorized access, data breaches, service disruption, and full system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate CVE-2026-27641, immediately upgrade Flask-Reuploaded to version 1.5.0 or later, where the vulnerability is patched.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, do not pass user input directly to the filename (`name`) parameter when saving files. Instead, use auto-generated filenames or strictly validate and sanitize any user input.'}, {'type': 'paragraph', 'content': 'Recommended mitigation practices include:'}, {'type': 'list_item', 'content': "Use Werkzeug's `secure_filename()` function to sanitize filenames and remove unsafe characters."}, {'type': 'list_item', 'content': 'Remove any path separators by applying `os.path.basename()` to the sanitized filename.'}, {'type': 'list_item', 'content': 'Validate the file extension against an allowed list before saving to prevent extension bypass.'}, {'type': 'paragraph', 'content': 'An example mitigation snippet is:'}, {'type': 'paragraph', 'content': "```python\nfrom werkzeug.utils import secure_filename\nimport os\nsafe_name = secure_filename(request.form.get('custom_name'))\nsafe_name = os.path.basename(safe_name)\nif not photos.extension_allowed(photos.get_extension(safe_name)):\n abort(400)\nfilename = photos.save(file, name=safe_name)\n```"}, {'type': 'paragraph', 'content': 'Additionally, ensure that uploaded files are strictly contained within the designated upload directory to prevent path traversal attacks.'}] [1, 2, 3]