CVE-2026-24486 | THREATINT

Description

Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.

PUBLISHED Reserved 2026-01-23 | Published 2026-01-27 | Updated 2026-01-27 | Assigner GitHub_M

HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

< 0.0.22

affected

References

github.com/...tipart/security/advisories/GHSA-wp53-j4wj-2cfg

github.com/...ommit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4

github.com/Kludex/python-multipart/releases/tag/0.0.22

cve.org (CVE-2026-24486)

nvd.nist.gov (CVE-2026-24486)

Download JSON