CVE-2026-32274

HIGH

Black <26.3.1 - Path Traversal

Title source: llm

Description

Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.

References (4)

[Vendor Advisory] https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m

[Issue Tracking] https://github.com/psf/black/pull/5038

[Release Notes] https://github.com/psf/black/releases/tag/26.3.1

[Patch] https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0002

EPSS Percentile 5.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

pypi/black 0 - 26.3.1PyPI

python/black < 26.3.1

Published Mar 12, 2026

Tracked Since Mar 13, 2026