CVE-2026-32274
published 2026-03-12CVE-2026-32274: Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.57%
43.0th percentile
Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | black | < black 26.3.1-1 (forky) | black 26.3.1-1 (forky) |
| psf | black | < 26.3.1 | 26.3.1 |
| psf | black | >= 0 < 26.3.1-1 | 26.3.1-1 |
| psf | black | >= 0 < 26.3.1 | 26.3.1 |
| python | black | < 26.3.1 | 26.3.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
vendor_redhat8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Black: Arbitrary file writes from unsanitized user input in cache file name
osv·2026-03-12
CVE-2026-32274 [HIGH] Black: Arbitrary file writes from unsanitized user input in cache file name
Black: Arbitrary file writes from unsanitized user input in cache file name
### Impact
Black writes a cache file, the name of which is computed from various formatting options. The value of the `--python-cell-magics` option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.
### Patches
Fixed in Black 26.3.1.
### Workarounds
Do not allow untrusted user input into the value of the `--python-cell-magics` option.
GHSA
Black: Arbitrary file writes from unsanitized user input in cache file name
ghsa·2026-03-12
CVE-2026-32274 [HIGH] CWE-22 Black: Arbitrary file writes from unsanitized user input in cache file name
Black: Arbitrary file writes from unsanitized user input in cache file name
### Impact
Black writes a cache file, the name of which is computed from various formatting options. The value of the `--python-cell-magics` option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.
### Patches
Fixed in Black 26.3.1.
### Workarounds
Do not allow untrusted user input into the value of the `--python-cell-magics` option.
OSV
CVE-2026-32274: Black is the uncompromising Python code formatter
osv·2026-03-12·CVSS 8.7
CVE-2026-32274 [HIGH] CVE-2026-32274: Black is the uncompromising Python code formatter
Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.
Red Hat
black: Black: Arbitrary file writes from unsanitized user input in cache file name
vendor_redhat·2026-03-12·CVSS 8.7
CVE-2026-32274 [HIGH] CWE-22 black: Black: Arbitrary file writes from unsanitized user input in cache file name
black: Black: Arbitrary file writes from unsanitized user input in cache file name
Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.
A user input sanitization flaw has been discovered in the Black python code formatter. Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the val
Debian
CVE-2026-32274: black - Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes...
vendor_debian·2026·CVSS 8.7
CVE-2026-32274 [HIGH] CVE-2026-32274: black - Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes...
Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 26.3.1-1)
sid: resolved (fixed in 26.3.1-1)
trixie: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-32274 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-32274 [HIGH] CVE-2026-32274 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32274 :
Python vulnerability analysis and mitigation
Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.
Source : NVD
## 8.7
Score
Published March 12, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Python
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libr
Bugzilla
CVE-2026-32274 black: Black: Arbitrary file writes from unsanitized user input in cache file name
bugzilla·2026-03-12·CVSS 8.7
CVE-2026-32274 [HIGH] CVE-2026-32274 black: Black: Arbitrary file writes from unsanitized user input in cache file name
CVE-2026-32274 black: Black: Arbitrary file writes from unsanitized user input in cache file name
Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.
https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909dhttps://github.com/psf/black/pull/5038https://github.com/psf/black/releases/tag/26.3.1https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3mhttps://access.redhat.com/errata/RHSA-2026:10184https://access.redhat.com/errata/RHSA-2026:13545https://access.redhat.com/errata/RHSA-2026:13553https://access.redhat.com/security/cve/CVE-2026-32274https://bugzilla.redhat.com/show_bug.cgi?id=2447111https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32274.json
2026-03-12
Published