Source: python-multipart Version: 0.0.20-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for python-multipart. CVE-2026-24486[0]: | Python-Multipart is a streaming multipart parser for Python. Prior | to version 0.0.22, a Path Traversal vulnerability exists when using | non-default configuration options `UPLOAD_DIR` and | `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to | arbitrary locations on the filesystem by crafting a malicious | filename. Users should upgrade to version 0.0.22 to receive a patch | or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in | project configurations. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-24486 https://www.cve.org/CVERecord?id=CVE-2026-24486 [1] https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg [2] https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
