PT-2026-25073 · Black · Black

Fg0X0

Published

2026-01-01

Updated

2026-06-03

CVE-2026-32274

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Black versions prior to 26.3.1

Description Black, a Python code formatter, prior to version 26.3.1, improperly sanitizes user-supplied input when constructing the filename for a cache file. Specifically, the value provided to the --python-cell-magics option is directly incorporated into the filename without validation. This allows an attacker who can control the value of the --python-cell-magics argument to write cache files to arbitrary locations on the file system. The vulnerable component is the process of creating the cache filename. The vulnerable parameter is --python-cell-magics.

Recommendations Versions prior to 26.3.1 should be updated to version 26.3.1 or later. Do not allow untrusted user input to be used as the value for the --python-cell-magics option.

Exploit

Fix

DoS

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2026-32274

ECHO-C5B6-7968-60AF

GHSA-3936-CMFR-PM3M

OPENSUSE-SU-2026:10372-1

OPENSUSE-SU-2026:20417-1

SUSE-SU-2026:0900-1

SUSE-SU-2026:20928-1

Affected Products

Black

PT-2026-25073 · Black · Black

CVE-2026-32274

Weakness Enumeration

Related Identifiers

Affected Products

References · 29