CVE-2026-27641

Name of the Vulnerable Software and Affected Versions Flask-Reuploaded versions prior to 1.5.0

Description Flask-Reuploaded, a file upload package for Flask, contains a path traversal and extension bypass flaw. This allows remote attackers to perform arbitrary file writes and achieve remote code execution (RCE) through Server-Side Template Injection (SSTI). Server-Side Template Injection (SSTI) is a web security vulnerability that allows an attacker to inject arbitrary code into a web application by exploiting template engines. The name parameter is a potential entry point for this issue.

Recommendations Upgrade to version 1.5.0 or later to resolve this issue. Do not pass user input to the name parameter. Use auto-generated filenames only. Implement strict input validation if the name parameter must be used.