CVE-2026-32274

Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32274.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Git / github.com/psf/black

Affected ranges

Type: GIT
Repo: https://github.com/psf/black
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4937fe6cf241139ddbfc16b0bdbb5b422798909d

Type: GIT
Repo: https://github.com/psf/black
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c6755bb741b6481d6b3d3bb563c83fa060db96c9

Affected versions

18.*

18.3a0

18.3a1

18.3a2

18.3a3

18.3a4

18.4a0

18.4a1

18.4a2

18.4a3

18.4a4

18.5b0

18.5b1

18.6b0

18.6b1

18.6b2

18.6b3

18.6b4

18.9b0

19.*

19.10b0

19.3b0

20.*

20.8b0

20.8b1

21.*

21.10b0

21.11b0

21.11b1

21.12b0

21.4b0

21.4b1

21.4b2

21.5b0

21.5b1

21.5b2

21.6b0

21.7b0

21.8b0

21.9b0

22.*

22.1.0

22.10.0

22.12.0

22.3.0

22.6.0

22.8.0

23.*

23.1.0

23.10.0

23.10.1

23.11.0

23.12.0

23.12.1

23.3.0

23.7.0

23.9.0

23.9.1

24.*

24.1.0

24.1.1

24.10.0

24.2.0

24.3.0

24.4.0

24.4.1

24.4.2

24.8.0

25.*

25.1.0

25.11.0

25.12.0

25.9.0

26.*

26.1.0

26.3.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32274.json"