CVE-2026-27641

CriticalPublic PoC

Published: 25 February 2026

Published

25 February 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 45.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched…

in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the path traversal and extension bypass flaw by updating Flask-Reuploaded to the patched version 1.5.0 or later.

SI-10 Information Input Validation good match

prevent

Enforces strict validation of user-supplied filenames in the 'name' parameter to block path traversal sequences and invalid extensions leading to arbitrary file writes and SSTI.

SI-9 Information Input Restrictions good match

prevent

Restricts file upload inputs to auto-generated filenames only, preventing user-controlled 'name' parameters from enabling path traversal and extension bypass.

Security SummaryAI

Flask-Reuploaded, a file upload library for Flask applications, contains a critical path traversal and extension bypass vulnerability (CVE-2026-27641) affecting versions prior to 1.5.0. This flaw, linked to CWE-1336 and CWE-22, enables attackers to manipulate file paths and extensions during uploads, leading to arbitrary file writes and remote code execution via Server-Side Template Injection (SSTI). The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its high severity.

Remote, unauthenticated attackers can exploit this issue over the network with low complexity and no user interaction required. By crafting malicious filenames passed to the `name` parameter, they achieve arbitrary file writes on the server, potentially overwriting critical files, and escalate to RCE through SSTI when uploaded files are processed as templates.

The vulnerability has been patched in Flask-Reuploaded version 1.5.0, as detailed in the project's GitHub security advisory (GHSA-65mp-fq8v-56jr), pull request #180, and the fixing commit d64c6b2f71cb73734fc38baa0e3e156926361288. Workarounds include avoiding user input in the `name` parameter, relying solely on auto-generated filenames, and enforcing strict input validation if custom names are necessary.

Details

CWE(s): CWE-1336 CWE-22

Affected Products

jugmac00

flask-reuploaded

≤ 1.5.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing Flask web application (T1190) via path traversal and extension bypass in file uploads, leading directly to arbitrary file writes and RCE through Server-Side Template Injection (T1221).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/jugmac00/flask-reuploaded/commit/d64c6b2f71cb73734fc38baa0e3e156926361288
Patch · security-advisories@github.com
https://github.com/jugmac00/flask-reuploaded/pull/180
Issue Tracking, Patch · security-advisories@github.com
https://github.com/jugmac00/flask-reuploaded/security/advisories/GHSA-65mp-fq8v-56jr
Exploit, Vendor Advisory · security-advisories@github.com