CVE-2026-32274

NameCVE-2026-32274
DescriptionBlack is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
black (PTS)bullseye20.8b1-4vulnerable
bookworm23.1.0-1vulnerable
trixie25.1.0-3vulnerable
forky25.12.0-2vulnerable
sid26.1.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
blacksource(unstable)(unfixed)

Notes

https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m
https://github.com/psf/black/pull/5038
Fixed by: https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d (26.3.1)
Search for package or bug name: Reporting problems