Skip to main content

Python CVE-2026-24486

HIGH
Path Traversal (CWE-22)
2026-01-27 security-advisories@github.com GHSA-wp53-j4wj-2cfg
Python Path Traversal Python Multipart Red Hat Suse
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
SUSE
HIGH
qualitative
Red Hat
8.6 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
PoC Detected
Feb 17, 2026 - 20:44 vuln.today
Public exploit code
Patch released
Feb 17, 2026 - 20:44 nvd
Patch available
CVE Published
Jan 27, 2026 - 01:16 nvd
HIGH 8.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 44 pypi packages depend on python-multipart (40 direct, 4 indirect)

Ecosystem-wide dependent count for version 0.0.22.

DescriptionGitHub Advisory

Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using UPLOAD_KEEP_FILENAME=True in project configurations.

AnalysisAI

Arbitrary file write in Python-Multipart versions before 0.0.22 allows remote attackers to store uploaded files to any filesystem location when non-default configuration options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True are enabled. An attacker can exploit this path traversal vulnerability by crafting malicious filenames in multipart uploads, potentially overwriting critical system or application files. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious filename with path traversal sequences
Exploit
Upload file via multipart form
Execution
Parser writes file to arbitrary filesystem location
Impact
Attacker achieves code execution or data corruption
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Python-Multipart versions prior to 0.0.22 with UPLOAD_KEEP_FILENAME=True configuration option enabled AND custom UPLOAD_DIR parameter set. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 8.6 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker could exploit this vulnerability to compromise the affected system.
Remediation A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems using Python-Multipart with UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True configurations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48039 CRITICAL POC
9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
CVE-2026-20251 HIGH
8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
CVE-2026-53753 CRITICAL
9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-48519 CRITICAL
9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co
CVE-2026-45833 CRITICAL
9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
openSUSE Leap 15.6 Fixed
openSUSE Leap 16.0 Fixed
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-24486 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy