CVE-2026-27641 – A critical path traversal and extension bypass ... (How to Fix)

📋 TL;DR

A critical path traversal and extension bypass vulnerability in Flask-Reuploaded versions before 1.5.0 allows remote attackers to write arbitrary files and achieve remote code execution via Server-Side Template Injection (SSTI). This affects any Flask application using vulnerable versions of Flask-Reuploaded for file upload functionality. Attackers can exploit this to compromise the server hosting the Flask application.

💻 Affected Systems

Products:

Flask-Reuploaded

Versions: All versions prior to 1.5.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Flask applications using Flask-Reuploaded for file uploads. The vulnerability is present in default configurations when user input is passed to the name parameter.

📦 What is this software?

Flask Reuploaded by Jugmac00

View all CVEs affecting Flask Reuploaded →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise with remote code execution, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Arbitrary file write leading to web shell deployment, data manipulation, or denial of service through critical file overwrites.

🟢

If Mitigated

Limited impact with proper input validation and security controls, potentially only file upload failures or minor data corruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with public proof-of-concept available. The vulnerability allows path traversal and extension bypass leading to SSTI.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.0

Vendor Advisory: https://github.com/jugmac00/flask-reuploaded/security/advisories/GHSA-65mp-fq8v-56jr

Restart Required: Yes

Instructions:

1. Update Flask-Reuploaded to version 1.5.0 or later using pip: pip install --upgrade Flask-Reuploaded>=1.5.0
2. Restart the Flask application
3. Verify the update with: pip show Flask-Reuploaded

🔧 Temporary Workarounds

Use auto-generated filenames

all

Avoid passing user-controlled input to the name parameter by using auto-generated filenames only

Implement strict input validation

all

If using the name parameter, implement strict validation to prevent path traversal and extension bypass

🧯 If You Can't Patch

Disable file upload functionality entirely if not required
Implement web application firewall (WAF) rules to block path traversal patterns and suspicious uploads

🔍 How to Verify

Check if Vulnerable:

Check Flask-Reuploaded version with: pip show Flask-Reuploaded | grep Version

Check Version:

pip show Flask-Reuploaded | grep Version

Verify Fix Applied:

Verify version is 1.5.0 or higher: pip show Flask-Reuploaded | grep Version

📡 Detection & Monitoring

Log Indicators:

Unusual file upload patterns
Path traversal attempts in upload filenames
Suspicious file extensions in uploads
Unexpected file writes outside upload directory

Network Indicators:

Multiple file upload attempts with crafted filenames
POST requests to upload endpoints with path traversal payloads

SIEM Query:

source="web_logs" AND (url_path="/upload" OR url_path LIKE "%/upload%") AND (request_body LIKE "%..%" OR request_body LIKE "%name=%..%")

📊 Metadata

CVE ID: CVE-2026-27641

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1336

Published: February 25, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/jugmac00/flask-reuploaded/commit/d64c6b2f71cb73734fc38baa0e3e156926361288 Patch
https://github.com/jugmac00/flask-reuploaded/pull/180 Issue Tracking,Patch
https://github.com/jugmac00/flask-reuploaded/security/advisories/GHSA-65mp-fq8v-56jr Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27641, you might also want to check these: