Description
Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used.
Published: 2026-02-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability originates from a server‑side template injection in the file upload component of Flask‑Reuploaded. An attacker who can supply a malicious template via the name parameter during a file upload can write arbitrary files to the server’s filesystem and execute code. The flaw is a critical path traversal combined with an extension bypass, allowing the attacker to choose the location and filename of a written file. This results in a full remote code execution capability, granting the attacker control over the affected system. The weakness maps to CWE‑1336 for template injection and CWE‑22 for path traversal.

Affected Systems

The affected product is Flask‑Reuploaded by jugmac00. Versions earlier than 1.5.0 are impacted. All deployments of Flask‑Reuploaded prior to the 1.5.0 release that use the name parameter for user‑supplied filenames are vulnerable.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity. While the EPSS score is less than 1%, indicating a low measured exploit probability, the high impact renders this flaw a top priority for remediation. The vulnerability is not listed in CISA’s KEV catalog, but the combination of remote triggerability and full code execution warrants immediate attention. The likely attack path involves an attacker uploading a crafted file through the web interface, with the name parameter exploited to inject template code and write files to arbitrary locations.

Generated by OpenCVE AI on April 17, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flask‑Reuploaded to version 1.5.0 or newer.
  • If upgrading is not immediately possible, configure the application to ignore the name parameter and generate filenames server‑side for all uploads.
  • Apply strict input validation on any user‑controlled name values, allowing only a safe subset of characters and lengths.

Generated by OpenCVE AI on April 17, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-65mp-fq8v-56jr Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection
History

Fri, 27 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
CPEs cpe:2.3:a:jugmac00:flask-reuploaded:*:*:*:*:*:python:*:*

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Jugmac00
Jugmac00 flask-reuploaded
Vendors & Products Jugmac00
Jugmac00 flask-reuploaded

Wed, 25 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection (SSTI). Flask-Reuploaded has been patched in version 1.5.0. Some workarounds are available. Do not pass user input to the `name` parameter, use auto-generated filenames only, and implement strict input validation if `name` must be used.
Title Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection
Weaknesses CWE-1336
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Jugmac00 Flask-reuploaded
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:12:45.608Z

Reserved: 2026-02-20T22:02:30.029Z

Link: CVE-2026-27641

cve-icon Vulnrichment

Updated: 2026-02-25T21:12:38.828Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T04:16:04.620

Modified: 2026-02-27T18:40:20.083

Link: CVE-2026-27641

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:30:06Z

Weaknesses