{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27641", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T22:02:30.029Z", "datePublished": "2026-02-25T03:54:54.391Z", "dateUpdated": "2026-02-25T21:12:45.608Z"}, "containers": {"cna": {"title": "Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/jugmac00/flask-reuploaded/security/advisories/GHSA-65mp-fq8v-56jr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jugmac00/flask-reuploaded/security/advisories/GHSA-65mp-fq8v-56jr"}, {"name": "https://github.com/jugmac00/flask-reuploaded/pull/180", "tags": ["x_refsource_MISC"], "url": "https://github.com/jugmac00/flask-reuploaded/pull/180"}, {"name": "https://github.com/jugmac00/flask-reuploaded/commit/d64c6b2f71cb73734fc38baa0e3e156926361288", "tags": ["x_refsource_MISC"], "url": "https://github.com/jugmac00/flask-reuploaded/commit/d64c6b2f71cb73734fc38baa0e3e156926361288"}], "affected": [{"vendor": "jugmac00", "product": "flask-reuploaded", "versions": [{"version": "< 1.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T03:54:54.391Z"}, "descriptions": [{"lang": "en", "value": "Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used."}], "source": {"advisory": "GHSA-65mp-fq8v-56jr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T21:12:32.024132Z", "id": "CVE-2026-27641", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:12:45.608Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27641", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T21:12:32.024132Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:12:38.828Z"}}], "cna": {"title": "Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection", "source": {"advisory": "GHSA-65mp-fq8v-56jr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "jugmac00", "product": "flask-reuploaded", "versions": [{"status": "affected", "version": "< 1.5.0"}]}], "references": [{"url": "https://github.com/jugmac00/flask-reuploaded/security/advisories/GHSA-65mp-fq8v-56jr", "name": "https://github.com/jugmac00/flask-reuploaded/security/advisories/GHSA-65mp-fq8v-56jr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jugmac00/flask-reuploaded/pull/180", "name": "https://github.com/jugmac00/flask-reuploaded/pull/180", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/jugmac00/flask-reuploaded/commit/d64c6b2f71cb73734fc38baa0e3e156926361288", "name": "https://github.com/jugmac00/flask-reuploaded/commit/d64c6b2f71cb73734fc38baa0e3e156926361288", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T03:54:54.391Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27641", "state": "PUBLISHED", "dateUpdated": "2026-02-25T21:12:45.608Z", "dateReserved": "2026-02-20T22:02:30.029Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T03:54:54.391Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jugmac00:flask-reuploaded:*:*:*:*:*:python:*:*", "matchCriteriaId": "ADCCDA77-EDD0-4AC4-B9BA-7087B5D9DC32", "versionEndExcluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used."}], "id": "CVE-2026-27641", "lastModified": "2026-02-27T18:40:20.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-25T04:16:04.620", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/jugmac00/flask-reuploaded/commit/d64c6b2f71cb73734fc38baa0e3e156926361288"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/jugmac00/flask-reuploaded/pull/180"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/jugmac00/flask-reuploaded/security/advisories/GHSA-65mp-fq8v-56jr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "flask-reuploaded", "source": "cna", "vendor": "jugmac00"}, "product": "flask-reuploaded", "vendor": "jugmac00"}], "analysis": {"en": {"generated_at": "2026-04-17T15:26:39.927839+00:00", "value": {"mitigation_remediation": ["Upgrade Flask\u2011Reuploaded to version 1.5.0 or newer.", "If upgrading is not immediately possible, configure the application to ignore the name parameter and generate filenames server\u2011side for all uploads.", "Apply strict input validation on any user\u2011controlled name values, allowing only a safe subset of characters and lengths."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Flask\u2011Reuploaded by jugmac00. Versions earlier than 1.5.0 are impacted. All deployments of Flask\u2011Reuploaded prior to the 1.5.0 release that use the name parameter for user\u2011supplied filenames are vulnerable.", "description_and_impact": "The vulnerability originates from a server\u2011side template injection in the file upload component of Flask\u2011Reuploaded. An attacker who can supply a malicious template via the name parameter during a file upload can write arbitrary files to the server\u2019s filesystem and execute code. The flaw is a critical path traversal combined with an extension bypass, allowing the attacker to choose the location and filename of a written file. This results in a full remote code execution capability, granting the attacker control over the affected system. The weakness maps to CWE\u20111336 for template injection and CWE\u201122 for path traversal.", "risk_and_exploitability": "The CVSS score of 9.8 indicates critical severity. While the EPSS score is less than 1%, indicating a low measured exploit probability, the high impact renders this flaw a top priority for remediation. The vulnerability is not listed in CISA\u2019s KEV catalog, but the combination of remote triggerability and full code execution warrants immediate attention. The likely attack path involves an attacker uploading a crafted file through the web interface, with the name parameter exploited to inject template code and write files to arbitrary locations."}}}}, "created": "2026-02-25T11:34:41.601366+00:00", "updated": "2026-04-17T15:30:06.034785+00:00", "vendors": ["jugmac00", "jugmac00$PRODUCT$flask-reuploaded"]}