CVE-2026-32274

NameCVE-2026-32274
DescriptionBlack is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1130657

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
black (PTS)bullseye20.8b1-4vulnerable
bookworm23.1.0-1vulnerable
trixie25.1.0-3vulnerable
forky, sid26.3.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
blacksource(unstable)26.3.1-11130657

Notes

[trixie] - black <no-dsa> (Minor issue)
[bookworm] - black <no-dsa> (Minor issue)
[bullseye] - black <postponed> (Minor issue)
https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m
https://github.com/psf/black/pull/5038
Fixed by: https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d (26.3.1)
Search for package or bug name: Reporting problems