Black, Path Traversal, CVE-2026-32274 (High)

Listen to this Post

Black, the uncompromising Python code formatter, versions prior to 26.3.1, contains a high-severity path traversal vulnerability . The flaw resides in how the tool generates the filename for its cache storage. The filename is derived by concatenating various formatting options used during execution . Specifically, the value passed to the `–python-cell-magics` command-line argument is directly incorporated into this cache filename without any sanitization or validation . An attacker who can control or influence the value of this argument can inject path traversal sequences (e.g., ../) into the filename . When Black attempts to write its cache to the constructed path, the traversal sequences are interpreted by the filesystem, causing the file to be written outside the intended cache directory. This allows the attacker to write or overwrite files in arbitrary locations on the file system with the privileges of the user running Black . The issue is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) . The vulnerability has been addressed and fixed in Black version 26.3.1 .

dailycve form:

Platform: Python formatter
Version: before 26.3.1
Vulnerability : Arbitrary file write
Severity: High (CVSS 8.7)
date: March 12, 2026

Prediction: Patch already released

What Undercode Say:

Analytics

The vulnerability stems from trusting user input for file operations without validation. An attacker provides a malicious string to `–python-cell-magics` containing path traversal characters (../). This input is concatenated to form a cache file path. When the file is created, the operating system resolves the path, allowing the file to be placed in a directory controlled by the attacker, such as a system directory or a user’s startup folder.

Exploit:

Example of a malicious command to write a file to a sensitive location.
This attempts to write a cache file to the victim's .config directory.
black --python-cell-magics "../../../.config/malicious_cache" target_file.py

Protection from this CVE

1. Immediate fix: Update to the patched version.
pip install --upgrade black
2. Verify the installed version is 26.3.1 or higher.
black --version
3. Code fix (Conceptual): Sanitize the input by stripping path separators.
import re
user_magics = "../../../etc/passwd"
Sanitize by removing non-alphanumeric characters except allowed delimiters.
safe_magics = re.sub(r'[^a-zA-Z0-9, ]', '', user_magics)
Or use a hash of the input for the filename instead of the raw value.
import hashlib
filename = hashlib.sha256(user_magics.encode()).hexdigest()

Impact

Successful exploitation allows an attacker to perform arbitrary file writes. This can lead to overwriting critical system files, planting malicious scripts in auto-start directories, or modifying configuration files to gain persistent access or escalate privileges on the target system. The integrity of the system is compromised.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top