CVE-2026-24486 — Path Traversal in Python-multipart

CWE-22 — Path Traversal9 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 91.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kludex Python-multipart Fastapiexpert Python-multipart Debian Python-multipart

Timeline

PublishedJan 27

Latest updateFeb 11

Description

Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶CVEListV5kludex/python-multipart< 0.0.22

▶PyPIkludex/python-multipart< 0.0.22

▶debiandebian/python-multipart< python-multipart 0.0.20-1.1 (forky)

▶NVDfastapiexpert/python-multipart< 0.0.22

▶Debiankludex/python-multipart< 0.0.20-1.1~deb13u1+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

python-multipart vulnerabilities↗2026-02-11

▶

OSV

CVE-2026-24486: Python-Multipart is a streaming multipart parser for Python↗2026-01-27

▶

GHSA

Python-Multipart has Arbitrary File Write via Non-Default Configuration↗2026-01-26

▶

OSV

Python-Multipart has Arbitrary File Write via Non-Default Configuration↗2026-01-26

▶

📋Vendor Advisories

Ubuntu

Python-Multipart vulnerabilities↗2026-02-11

▶

Red Hat

python-multipart: Python-Multipart: Arbitrary file write via path traversal vulnerability↗2026-01-27

▶

Debian

CVE-2026-24486: python-multipart - Python-Multipart is a streaming multipart parser for Python. Prior to version 0....↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-24486 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶