CVE-2026-27641
published 2026-02-25CVE-2026-27641: Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.05%
59.9th percentile
Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jugmac00 | flask-reuploaded | < 1.5.0 | 1.5.0 |
| jugmac00 | flask-reuploaded | >= 0 < 1.5.0 | 1.5.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection
ghsa·2026-02-25
CVE-2026-27641 [CRITICAL] CWE-1336 Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection
### Impact
A critical path traversal and extension bypass vulnerability in Flask-Reuploaded allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI).
### Patches
Flask-Reuploaded has been patched in version 1.5.0
### Workarounds
1. **Do not pass user input to the `name` parameter**
2. Use auto-generated filenames only
3. Implement strict input validation if `name` must be used
```python
from werkzeug.utils import secure_filename
import os
# Sanitize user input before passing to save()
safe_name = secure_filename(request.form.get('custom_name'))
# Remove path separators
safe_name = os.path.basename(safe_name)
# Validate extensio
OSV
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection
osv·2026-02-25
CVE-2026-27641 [CRITICAL] Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection
### Impact
A critical path traversal and extension bypass vulnerability in Flask-Reuploaded allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI).
### Patches
Flask-Reuploaded has been patched in version 1.5.0
### Workarounds
1. **Do not pass user input to the `name` parameter**
2. Use auto-generated filenames only
3. Implement strict input validation if `name` must be used
```python
from werkzeug.utils import secure_filename
import os
# Sanitize user input before passing to save()
safe_name = secure_filename(request.form.get('custom_name'))
# Remove path separators
safe_name = os.path.basename(safe_name)
# Validate extensio
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-27641 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27641 [CRITICAL] CVE-2026-27641 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27641 :
Python vulnerability analysis and mitigation
name
name
Source : NVD
## 9.8
Score
Published February 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 40.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
flask-reuploaded
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35615
Bugzilla
CVE-2026-23923 zabbix7.0: Zabbix: Limited availability impact via arbitrary PHP class instantiation [epel-all]
bugzilla·2026-03-24·CVSS 6.9
CVE-2026-23923 [MEDIUM] CVE-2026-23923 zabbix7.0: Zabbix: Limited availability impact via arbitrary PHP class instantiation [epel-all]
CVE-2026-23923 zabbix7.0: Zabbix: Limited availability impact via arbitrary PHP class instantiation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
https://support.zabbix.com/browse/ZBX-27641 indicates that this does not apply to 7.0.X
2026-02-25
Published