CVE-2026-32274
Published: 12 March 2026
Summary
CVE-2026-32274 is a high-severity Path Traversal (CWE-22) vulnerability in Python Black. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-32274 affects the Black Python code formatter in versions prior to 26.3.1. The vulnerability arises because Black constructs cache filenames from various formatting options, including the --python-cell-magics argument, without sanitizing its value. This leads to a path traversal issue (CWE-22), enabling cache files to be written to arbitrary filesystem locations. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), highlighting high integrity impact with no confidentiality or availability effects.
An attacker who controls the --python-cell-magics option value—such as through malicious input in environments where Black is invoked programmatically or via scripts processing untrusted data—can exploit this remotely with low complexity and no privileges or user interaction required. Successful exploitation allows writing cache files to unintended locations, potentially overwriting files and compromising system integrity based on the executing process's permissions.
The vulnerability was addressed in Black 26.3.1, as detailed in the GitHub security advisory GHSA-3936-cmfr-pm3m, fixing commit 4937fe6cf241139ddbfc16b0bdbb5b422798909d, pull request #5038, and release notes. Mitigation involves upgrading to Black 26.3.1 or later to ensure proper sanitization of the option value in cache filenames.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11698
Vulnerability details
Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed…
more
an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary cache file writes/overwrites (direct Stored Data Manipulation); remote untrusted input to Black in server-side contexts enables public app exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the path traversal vulnerability by requiring validation of unsanitized inputs like the --python-cell-magics option used in cache filename construction.
Ensures timely remediation of the known flaw in Black versions prior to 26.3.1 by identifying, reporting, and patching the vulnerable software.
Limits the impact of arbitrary cache file writes by enforcing least privilege on the process executing Black, restricting permissions to authorized locations only.