Cyber Posture

CVE-2026-32274

High

Published: 12 March 2026

Published
12 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0002 6.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32274 is a high-severity Path Traversal (CWE-22) vulnerability in Python Black. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Stored Data Manipulation (T1565.001) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation
addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Path traversal enables arbitrary cache file writes/overwrites (direct Stored Data Manipulation); remote untrusted input to Black in server-side contexts enables public app exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed…

more

an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.

Deeper analysisAI

CVE-2026-32274 affects the Black Python code formatter in versions prior to 26.3.1. The vulnerability arises because Black constructs cache filenames from various formatting options, including the --python-cell-magics argument, without sanitizing its value. This leads to a path traversal issue (CWE-22), enabling cache files to be written to arbitrary filesystem locations. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), highlighting high integrity impact with no confidentiality or availability effects.

An attacker who controls the --python-cell-magics option value—such as through malicious input in environments where Black is invoked programmatically or via scripts processing untrusted data—can exploit this remotely with low complexity and no privileges or user interaction required. Successful exploitation allows writing cache files to unintended locations, potentially overwriting files and compromising system integrity based on the executing process's permissions.

The vulnerability was addressed in Black 26.3.1, as detailed in the GitHub security advisory GHSA-3936-cmfr-pm3m, fixing commit 4937fe6cf241139ddbfc16b0bdbb5b422798909d, pull request #5038, and release notes. Mitigation involves upgrading to Black 26.3.1 or later to ensure proper sanitization of the option value in cache filenames.

Details

CWE(s)
CWE-22

Affected Products

python
black
≤ 26.3.1

CVEs Like This One

CVE-2026-31900Same product: Python Black
CVE-2026-40518Shared CWE-22
CVE-2025-1785Shared CWE-22
CVE-2026-25990Same vendor: Python
CVE-2026-33656Shared CWE-22
CVE-2025-61686Shared CWE-22
CVE-2026-28791Shared CWE-22
CVE-2026-26187Shared CWE-22
CVE-2026-33344Shared CWE-22
CVE-2025-59384Shared CWE-22

References