PT-2026-35817 · Pypi · Django-S3File
Published
2026-04-28
·
Updated
2026-05-12
·
CVE-2026-42196
CVSS v4.0
9.9
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
django-s3file versions prior to 7.0.2
Description
S3FileMiddleware is susceptible to relative path traversal, allowing an attacker to use a modified request to escape pre-signed upload locations. This enables the Django application to load files from arbitrary locations into request.FILES, which may result in confidentiality and integrity issues.Recommendations
Update to version 7.0.2 or later.
Fix
Relative Path Traversal
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Django-S3File