CVE-2026-24486

Name of the Vulnerable Software and Affected Versions Python-Multipart versions prior to 0.0.22

Description Python-Multipart is a streaming multipart parser for Python. A Path Traversal issue exists when using non-default configuration options UPLOAD DIR and UPLOAD KEEP FILENAME=True. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. The issue occurs because the library constructs the file path using os.path.join(), and if the filename begins with a '/', all preceding path components are discarded. This allows bypassing the intended upload directory and writing files to arbitrary paths. The vulnerability is only present if UPLOAD DIR is set, UPLOAD KEEP FILENAME is set to True, and the uploaded file exceeds MAX MEMORY FILE SIZE.

Recommendations Upgrade to version 0.0.22. Alternatively, avoid using UPLOAD KEEP FILENAME=True in project configurations.