CVE-2026-24486

Python-Multipart has Arbitrary File Write via Non-Default Configuration

CVSS 8.6 HIGHEPSS 1.8%CWE-22

Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Affected products

Kludex · python-multipart

public PoCs found — 1

exploitdbwww.exploit-db.com/exploits/52543unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4 https://github.com/Kludex/python-multipart/releases/tag/0.0.22 https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg