CVE-2026-24486

HIGH

Python-Multipart <0.0.22 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-24486. PoCs published by jefersoncardoso.dev.

AI-analyzed exploit summary This PoC demonstrates a path traversal vulnerability in python-multipart versions < 0.0.22, allowing arbitrary file writes via malicious filenames when UPLOAD_KEEP_FILENAME=True and UPLOAD_DIR is configured. It tests multiple payloads to exploit the flaw and write files to unintended locations.

Description

Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.

Exploits (1)

exploitdb WORKING POC

by jefersoncardoso.dev · pythonwebappspython

https://www.exploit-db.com/exploits/52543

View Code ZIP pw:eip

This PoC demonstrates a path traversal vulnerability in python-multipart versions < 0.0.22, allowing arbitrary file writes via malicious filenames when UPLOAD_KEEP_FILENAME=True and UPLOAD_DIR is configured. It tests multiple payloads to exploit the flaw and write files to unintended locations.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: python-multipart < 0.0.22

No auth needed

Prerequisites: python-multipart < 0.0.22 with UPLOAD_KEEP_FILENAME=True and UPLOAD_DIR configured · access to upload endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed May 05, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg

Patch x_refsource_misc

https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4

View Patch ZIP pw:eip

Product, Release Notes x_refsource_misc

https://github.com/Kludex/python-multipart/releases/tag/0.0.22

Scores

CVSS v3 8.6

EPSS 0.0176

EPSS Percentile 75.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

fastapiexpert/python-multipart < 0.0.22

pypi/python-multipart 0 - 0.0.22PyPI

Published Jan 27, 2026

Tracked Since Feb 18, 2026