CVE-2026-32274

Name of the Vulnerable Software and Affected Versions Black versions prior to 26.3.1

Description Black, a Python code formatter, prior to version 26.3.1, improperly sanitizes user-supplied input when constructing the filename for a cache file. Specifically, the value provided to the --python-cell-magics option is directly incorporated into the filename without validation. This allows an attacker who can control the value of the --python-cell-magics argument to write cache files to arbitrary locations on the file system. The vulnerable component is the process of creating the cache filename. The vulnerable parameter is --python-cell-magics.

Recommendations Versions prior to 26.3.1 should be updated to version 26.3.1 or later. Do not allow untrusted user input to be used as the value for the --python-cell-magics option.