cbcvebase.
CVE-2026-24486
published 2026-01-27

CVE-2026-24486: Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default…

PriorityP260high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
2.23%
80.5th percentile
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianpython-multipart< python-multipart 0.0.20-1.1 (forky)python-multipart 0.0.20-1.1 (forky)
fastapiexpertpython-multipart< 0.0.220.0.22
kludexpython-multipart< 0.0.220.0.22
kludexpython-multipart>= 0 < 0.0.20-1.1~deb13u10.0.20-1.1~deb13u1
kludexpython-multipart>= 0 < 0.0.20-1.10.0.20-1.1
kludexpython-multipart>= 0 < 0.0.220.0.22
kludexpython-multipart>= 0 < 0.0.5-2ubuntu0.1~esm10.0.5-2ubuntu0.1~esm1
kludexpython-multipart>= 0 < 0.0.9-1ubuntu0.1~esm10.0.9-1ubuntu0.1~esm1

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered only when both non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True` are set; detect/alert on applications using this combination with python-multipart prior to 0.0.22
  • Attack vector is a crafted malicious filename in a multipart file upload request; inspect multipart Content-Disposition filename fields for path traversal sequences (e.g., `../`, absolute paths, null bytes)
  • Successful exploitation can result in remote code execution via arbitrary file write outside the upload directory; monitor for unexpected file creation outside the configured UPLOAD_DIR
  • Sanitization bypass check: safe applications should apply `os.path.basename(file.filename)` to strip path components; absence of this or equivalent sanitization indicates exploitable code paths
  • ·Vulnerability only manifests when BOTH `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True` are configured; default configurations are NOT affected
  • ·Workaround (without patching) is to avoid using `UPLOAD_KEEP_FILENAME=True`; disabling this option alone prevents the path traversal
  • ·The exploit PoC targets python-multipart versions prior to 0.0.22; the fix is available in 0.0.22
  • ·Several Red Hat packages are listed as 'Not affected' (e.g., openshift-lightspeed/lightspeed-ocp-rag-rhel9) while others are 'Affected'; scope of impact varies by container image

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH
vendor_debian8.6HIGH
vendor_redhat8.6HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.