cbcvebase.
CVE-2026-32274
published 2026-03-12

CVE-2026-32274: Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options…

PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.57%
43.0th percentile
Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianblack< black 26.3.1-1 (forky)black 26.3.1-1 (forky)
psfblack< 26.3.126.3.1
psfblack>= 0 < 26.3.1-126.3.1-1
psfblack>= 0 < 26.3.126.3.1
pythonblack< 26.3.126.3.1

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
vendor_redhat8.7HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.