GHSA-3936-cmfr-pm3m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3936-cmfr-pm3m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3936-cmfr-pm3m/GHSA-3936-cmfr-pm3m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3936-cmfr-pm3m
- Aliases
- Published
- 2026-03-12T18:33:10Z
- Modified
- 2026-03-14T01:46:41.190718Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Black: Arbitrary file writes from unsanitized user input in cache file name
- Details
-
Impact
Black writes a cache file, the name of which is computed from various formatting options. The value of the
--python-cell-magicsoption was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.Patches
Fixed in Black 26.3.1.
Workarounds
Do not allow untrusted user input into the value of the
--python-cell-magicsoption. - Database specific
{ "nvd_published_at": "2026-03-12T20:16:06Z", "github_reviewed": true, "cwe_ids": [ "CWE-22" ], "github_reviewed_at": "2026-03-12T18:33:10Z", "severity": "HIGH" }- References
-
- https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m
- https://nvd.nist.gov/vuln/detail/CVE-2026-32274
- https://github.com/psf/black/pull/5038
- https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d
- https://github.com/psf/black
- https://github.com/psf/black/releases/tag/26.3.1
Affected packages
PyPI / black
Package
- Name
- black
- View open source insights on deps.dev
- Purl
- pkg:pypi/black
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed26.3.1
Affected versions
18.*
18.3a0
18.3a1
18.3a2
18.3a3
18.3a4
18.4a0
18.4a1
18.4a2
18.4a3
18.4a4
18.5b0
18.5b1
18.6b0
18.6b1
18.6b2
18.6b3
18.6b4
18.9b0
19.*
19.3b0
19.10b0
20.*
20.8b0
20.8b1
21.*
21.4b0
21.4b1
21.4b2
21.5b0
21.5b1
21.5b2
21.6b0
21.7b0
21.8b0
21.9b0
21.10b0
21.11b0
21.11b1
21.12b0
22.*
22.1.0
22.3.0
22.6.0
22.8.0
22.10.0
22.12.0
23.*
23.1a1
23.1.0
23.3.0
23.7.0
23.9.0
23.9.1
23.10.0
23.10.1
23.11.0
23.12.0
23.12.1
24.*
24.1a1
24.1.0
24.1.1
24.2.0
24.3.0
24.4.0
24.4.1
24.4.2
24.8.0
24.10.0
25.*
25.1.0
25.9.0
25.11.0
25.12.0
26.*
26.1a1
26.1.0
26.3.0