Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Flask-Reuploaded: Remote Code Execution via User Input
CVE-2026-27641
GHSA-65mp-fq8v-56jr
Summary
Flask-Reuploaded has a security flaw that allows hackers to execute malicious code on your server if they can trick your application into storing it. To fix this, update to version 1.5.0 or use one of the workarounds provided to prevent user input from being used to store files.
What to do
- Update flask-reuploaded to version 1.5.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | flask-reuploaded | <= 1.5.0 | 1.5.0 |
| jugmac00 | flask-reuploaded | <= 1.5.0 | – |
Original title
Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection
Original description
### Impact
A critical path traversal and extension bypass vulnerability in Flask-Reuploaded allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI).
### Patches
Flask-Reuploaded has been patched in version 1.5.0
### Workarounds
1. **Do not pass user input to the `name` parameter**
2. Use auto-generated filenames only
3. Implement strict input validation if `name` must be used
```python
from werkzeug.utils import secure_filename
import os
# Sanitize user input before passing to save()
safe_name = secure_filename(request.form.get('custom_name'))
# Remove path separators
safe_name = os.path.basename(safe_name)
# Validate extension matches policy
if not photos.extension_allowed(photos.get_extension(safe_name)):
abort(400)
filename = photos.save(file, name=safe_name)
```
### Resources
The fix is documented in the pull request, see https://github.com/jugmac00/flask-reuploaded/pull/180.
A proper write-up was created by the reporter of the vulnerability, Jaron Cabral (https://www.linkedin.com/in/jaron-cabral-751994357/), but is not yet available as of time of this publication.
A critical path traversal and extension bypass vulnerability in Flask-Reuploaded allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI).
### Patches
Flask-Reuploaded has been patched in version 1.5.0
### Workarounds
1. **Do not pass user input to the `name` parameter**
2. Use auto-generated filenames only
3. Implement strict input validation if `name` must be used
```python
from werkzeug.utils import secure_filename
import os
# Sanitize user input before passing to save()
safe_name = secure_filename(request.form.get('custom_name'))
# Remove path separators
safe_name = os.path.basename(safe_name)
# Validate extension matches policy
if not photos.extension_allowed(photos.get_extension(safe_name)):
abort(400)
filename = photos.save(file, name=safe_name)
```
### Resources
The fix is documented in the pull request, see https://github.com/jugmac00/flask-reuploaded/pull/180.
A proper write-up was created by the reporter of the vulnerability, Jaron Cabral (https://www.linkedin.com/in/jaron-cabral-751994357/), but is not yet available as of time of this publication.
nvd CVSS3.1
9.8
Vulnerability type
CWE-1336
CWE-22
Path Traversal
- https://nvd.nist.gov/vuln/detail/CVE-2026-27641
- https://github.com/advisories/GHSA-65mp-fq8v-56jr
- https://github.com/jugmac00/flask-reuploaded/commit/d64c6b2f71cb73734fc38baa0e3e... Patch
- https://github.com/jugmac00/flask-reuploaded/pull/180 Issue Tracking Patch
- https://github.com/jugmac00/flask-reuploaded/security/advisories/GHSA-65mp-fq8v-... Exploit Vendor Advisory
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026