Cjaron03

**Name of the Vulnerable Software and Affected Versions** Flask-Reuploaded versions prior to 1.5.0 **Description** Flask-Reuploaded, a file upload package for Flask, contains a path traversal and extension bypass flaw. This allows remote attackers to perform arbitrary file writes and achieve remote code execution (RCE) through Server-Side Template Injection (SSTI). Server-Side Template Injection (SSTI) is a web security vulnerability that allows an attacker to inject arbitrary code into a web application by exploiting template engines. The `name` parameter is a potential entry point for this issue. **Recommendations** Upgrade to version 1.5.0 or later to resolve this issue. Do not pass user input to the `name` parameter. Use auto-generated filenames only. Implement strict input validation if the `name` parameter must be used.