Python-Multipart <=0.0.22 Path Traversal via UPLOAD_KEEP_FILENAME
CVE-2026-24486 Published on January 27, 2026
Python-Multipart has Arbitrary File Write via Non-Default Configuration
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.
Vulnerability Analysis
CVE-2026-24486 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity, and a small impact on availability.
Weakness Type
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2026-24486 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2026-24486
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-24486 are published in Canonical Ubuntu Linux:
Affected Versions
Kludex python-multipart Version < 0.0.22 is affected by CVE-2026-24486Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.