PT-2026-53432 · Pypi · Flask-Reuploaded

Published

2026-06-29

·

Updated

2026-06-29

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact

A critical path traversal and extension bypass vulnerability in Flask-Reuploaded allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI).

Patches

Flask-Reuploaded has been patched in version 1.5.0

Workarounds

  1. Do not pass user input to the name parameter
  2. Use auto-generated filenames only
  3. Implement strict input validation if name must be used
python
from werkzeug.utils import secure filename
import os

# Sanitize user input before passing to save()
 safe name = secure filename(request.form.get('custom name'))
# Remove path separators
 safe name = os.path.basename(safe name)
# Validate extension matches policy
if not photos.extension allowed(photos.get extension(safe name)):
  abort(400)
  
filename = photos.save(file, name=safe name)

Resources

The fix is documented in the pull request, see https://github.com/jugmac00/flask-reuploaded/pull/180.
A proper write-up was created by the reporter of the vulnerability, Jaron Cabral (https://www.linkedin.com/in/jaron-cabral-751994357/), but is not yet available as of time of this publication.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

PYSEC-2026-341

Affected Products

Flask-Reuploaded