CVE-2026-27641

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Flask-Reuploaded versions prior to 1.5.0

Description Flask-Reuploaded, a file upload package for Flask, contains a path traversal and extension bypass flaw. This allows remote attackers to perform arbitrary file writes and achieve remote code execution (RCE) through Server-Side Template Injection (SSTI). Server-Side Template Injection (SSTI) is a web security vulnerability that allows an attacker to inject arbitrary code into a web application by exploiting template engines. The name parameter is a potential entry point for this issue.

Recommendations Upgrade to version 1.5.0 or later to resolve this issue. Do not pass user input to the name parameter. Use auto-generated filenames only. Implement strict input validation if the name parameter must be used.

Exploit

Fix

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1336CWE-22

Related Identifiers

CVE-2026-27641

GHSA-65MP-FQ8V-56JR

Affected Products

Flask-Reuploaded

CVE-2026-27641

Weakness Enumeration

Related Identifiers

Affected Products

References · 16