Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Black: Untrusted user input can write files anywhere on your system
GHSA-3936-cmfr-pm3m
CVE-2026-32274
Summary
A bug in Black allows an attacker to write files to any location on your system if they can control a specific option. This is a concern if you're using Black with untrusted user input. To fix this, update to version 26.3.1 or ensure the option value only comes from trusted sources.
What to do
- Update black to version 26.3.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | black | <= 26.3.1 | 26.3.1 |
Original title
Black: Arbitrary file writes from unsanitized user input in cache file name
Original description
### Impact
Black writes a cache file, the name of which is computed from various formatting options. The value of the `--python-cell-magics` option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.
### Patches
Fixed in Black 26.3.1.
### Workarounds
Do not allow untrusted user input into the value of the `--python-cell-magics` option.
Black writes a cache file, the name of which is computed from various formatting options. The value of the `--python-cell-magics` option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.
### Patches
Fixed in Black 26.3.1.
### Workarounds
Do not allow untrusted user input into the value of the `--python-cell-magics` option.
ghsa CVSS4.0
8.7
Vulnerability type
CWE-22
Path Traversal
- https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m
- https://github.com/psf/black/pull/5038
- https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d
- https://github.com/psf/black/releases/tag/26.3.1
- https://github.com/advisories/GHSA-3936-cmfr-pm3m
- https://nvd.nist.gov/vuln/detail/CVE-2026-32274
Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026