Description

Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used.

INFO

Published Date :

2026-02-25T03:54:54.391Z

Last Modified :

2026-02-25T21:12:45.608Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27641 vulnerability.

Vendors Products
Jugmac00
  • Flask-reuploaded
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27641.

URL Resource
https://github.com/jugmac00/flask-reuploaded/commit/d64c6b2f71cb73734fc38baa0e3e156926361288 cve-icon cve-icon
https://github.com/jugmac00/flask-reuploaded/pull/180 cve-icon cve-icon
https://github.com/jugmac00/flask-reuploaded/security/advisories/GHSA-65mp-fq8v-56jr cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact