CVE-2026-27641
Published: 25 February 2026
Summary
CVE-2026-27641 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Jugmac00 Flask-Reuploaded. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Flask-Reuploaded, a file upload library for Flask applications, contains a critical path traversal and extension bypass vulnerability (CVE-2026-27641) affecting versions prior to 1.5.0. This flaw, linked to CWE-1336 and CWE-22, enables attackers to manipulate file paths and extensions during uploads, leading to arbitrary file writes and remote code execution via Server-Side Template Injection (SSTI). The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its high severity.
Remote, unauthenticated attackers can exploit this issue over the network with low complexity and no user interaction required. By crafting malicious filenames passed to the `name` parameter, they achieve arbitrary file writes on the server, potentially overwriting critical files, and escalate to RCE through SSTI when uploaded files are processed as templates.
The vulnerability has been patched in Flask-Reuploaded version 1.5.0, as detailed in the project's GitHub security advisory (GHSA-65mp-fq8v-56jr), pull request #180, and the fixing commit d64c6b2f71cb73734fc38baa0e3e156926361288. Workarounds include avoiding user input in the `name` parameter, relying solely on auto-generated filenames, and enforcing strict input validation if custom names are necessary.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8616
Vulnerability details
Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched…
more
in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing Flask web application (T1190) via path traversal and extension bypass in file uploads, leading directly to arbitrary file writes and RCE through Server-Side Template Injection (T1221).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the path traversal and extension bypass flaw by updating Flask-Reuploaded to the patched version 1.5.0 or later.
Enforces strict validation of user-supplied filenames in the 'name' parameter to block path traversal sequences and invalid extensions leading to arbitrary file writes and SSTI.
Restricts file upload inputs to auto-generated filenames only, preventing user-controlled 'name' parameters from enabling path traversal and extension bypass.