GHSA-67qg-7284-2277

Source

https://github.com/advisories/GHSA-67qg-7284-2277

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-67qg-7284-2277/GHSA-67qg-7284-2277.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-67qg-7284-2277

Aliases

CVE-2026-42196

Published

2026-05-05T20:05:49Z

Modified

2026-05-13T16:57:37.426747Z

Severity

9.9 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N CVSS Calculator

Summary

django-s3file is vulnerable to relative path traversal

Details

Impact

S3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into request.FILES

Depending on how files are handled, this may lead to confidentiality and integrity issues.

Patches

Django-S3File urges all users to update to a patched version >=7.0.2.

Database specific

{
    "github_reviewed_at": "2026-05-05T20:05:49Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22",
        "CWE-23",
        "CWE-26"
    ],
    "nvd_published_at": "2026-05-12T22:16:34Z",
    "severity": "CRITICAL"
}

References

Affected packages

PyPI / django-s3file

Package

Name: django-s3file; View open source insights on deps.dev
Purl: pkg:pypi/django-s3file

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.0.2

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

0.1.10

0.1.11

0.1.12

0.1.13

0.1.14

0.1.15

0.1.16

0.1.17

0.1.18

0.1.19

0.1.20

0.1.21

0.1.22

0.1.23

0.2.0

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.4.0

0.4.1

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.6.0

0.6.1

0.6.2

1.*

1.0.0

1.0.1

1.0.2

1.1.0

1.2.0

1.2.1

2.*

2.0.0

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

4.*

4.0.0

4.0.1

4.0.2

4.1.0

4.2.0

5.*

5.0.0

5.0.1

5.0.2

5.0.4

5.0.5

5.0.6

5.1.0

5.1.1

5.1.2

5.1.3

5.2.0

5.3.0

5.4.0

5.5.0

5.5.1

5.5.2

5.5.3

5.5.4

5.5.5

5.5.7

6.*

6.0.1

7.*

7.0.0

7.0.1

Database specific

last_known_affected_version_range

"<= 7.0.1"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-67qg-7284-2277/GHSA-67qg-7284-2277.json"