CVE-2026-27641

Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used.

Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used.

### Impact A critical path traversal and extension bypass vulnerability in Flask-Reuploaded allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). ### Patches Flask-Reuploaded has been patched in version 1.5.0 ### Workarounds 1. **Do not pass user input to the `name` parameter** 2. Use auto-generated filenames only 3. Implement strict input validation if `name` must be used ```python from werkzeug.utils import secure_filename import os # Sanitize user input before passing to save() safe_name = secure_filename(request.form.get('custom_name')) # Remove path separators safe_name = os.path.basename(safe_name) # Validate extension matches policy if not photos.extension_allowed(photos.get_extension(safe_name)): abort(400) filename = photos.save(file, name=safe_name) ``` ### Resources The fix is documented in the pull request, see https://github.com/jugmac00/flask-reuploaded/pull/180. A proper write-up was created by the reporter of the vulnerability, Jaron Cabral (https://www.linkedin.com/in/jaron-cabral-751994357/), but is not yet available as of time of this publication.

### Impact A critical path traversal and extension bypass vulnerability in Flask-Reuploaded allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). ### Patches Flask-Reuploaded has been patched in version 1.5.0 ### Workarounds 1. **Do not pass user input to the `name` parameter** 2. Use auto-generated filenames only 3. Implement strict input validation if `name` must be used ```python from werkzeug.utils import secure_filename import os # Sanitize user input before passing to save() safe_name = secure_filename(request.form.get('custom_name')) # Remove path separators safe_name = os.path.basename(safe_name) # Validate extension matches policy if not photos.extension_allowed(photos.get_extension(safe_name)): abort(400) filename = photos.save(file, name=safe_name) ``` ### Resources The fix is documented in the pull request, see https://github.com/jugmac00/flask-reuploaded/pull/180. A proper write-up was created by the reporter of the vulnerability, Jaron Cabral (https://www.linkedin.com/in/jaron-cabral-751994357/), but is not yet available as of time of this publication.

Flask-Reuploaded proporciona carga de archivos para Flask. Una vulnerabilidad crítica de salto de ruta y omisión de extensión en versiones anteriores a la 1.5.0 permite a atacantes remotos lograr escritura arbitraria de archivos y ejecución remota de código a través de Inyección de Plantillas del Lado del Servidor (SSTI). Flask-Reuploaded ha sido parcheado en la versión 1.5.0. Hay disponibles algunas soluciones alternativas. No pase entradas de usuario al parámetro 'name', use solo nombres de archivo autogenerados, e implemente una estricta validación de entrada si se tiene que usar 'name'.