Cyber Resilience

CVE-2026-32274

HighUpdated

Published: 12 March 2026

Published
12 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 34.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32274 is a high-severity Path Traversal (CWE-22) vulnerability in Python Black. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-32274 affects the Black Python code formatter in versions prior to 26.3.1. The vulnerability arises because Black constructs cache filenames from various formatting options, including the --python-cell-magics argument, without sanitizing its value. This leads to a path traversal issue (CWE-22), enabling cache files to be written to arbitrary filesystem locations. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), highlighting high integrity impact with no confidentiality or availability effects.

An attacker who controls the --python-cell-magics option value—such as through malicious input in environments where Black is invoked programmatically or via scripts processing untrusted data—can exploit this remotely with low complexity and no privileges or user interaction required. Successful exploitation allows writing cache files to unintended locations, potentially overwriting files and compromising system integrity based on the executing process's permissions.

The vulnerability was addressed in Black 26.3.1, as detailed in the GitHub security advisory GHSA-3936-cmfr-pm3m, fixing commit 4937fe6cf241139ddbfc16b0bdbb5b422798909d, pull request #5038, and release notes. Mitigation involves upgrading to Black 26.3.1 or later to ensure proper sanitization of the option value in cache filenames.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed…

more

an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal enables arbitrary cache file writes/overwrites (direct Stored Data Manipulation); remote untrusted input to Black in server-side contexts enables public app exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31900Same product: Python Black
CVE-2026-40518Shared CWE-22
CVE-2025-1785Shared CWE-22
CVE-2026-44243Shared CWE-22
CVE-2026-28791Shared CWE-22
CVE-2020-36883Shared CWE-22
CVE-2026-33656Shared CWE-22
CVE-2026-33344Shared CWE-22
CVE-2026-26187Shared CWE-22
CVE-2025-61686Shared CWE-22

Affected Assets

python
black
≤ 26.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the path traversal vulnerability by requiring validation of unsanitized inputs like the --python-cell-magics option used in cache filename construction.

prevent

Ensures timely remediation of the known flaw in Black versions prior to 26.3.1 by identifying, reporting, and patching the vulnerable software.

prevent

Limits the impact of arbitrary cache file writes by enforcing least privilege on the process executing Black, restricting permissions to authorized locations only.

References