High severityOSV Advisory· Published Jan 27, 2026· Updated Jan 27, 2026
Python-Multipart has Arbitrary File Write via Non-Default Configuration
CVE-2026-24486
Description
Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using UPLOAD_KEEP_FILENAME=True in project configurations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
python-multipartPyPI | < 0.0.22 | 0.0.22 |
Affected products
17- Range: 0.0.10, 0.0.11, 0.0.12, …
- osv-coords16 versionspkg:apk/chainguard/airflow-3pkg:apk/chainguard/airflow-core-3pkg:apk/chainguard/litellmpkg:apk/chainguard/open-webuipkg:apk/chainguard/py3-semgreppkg:apk/chainguard/reflexpkg:apk/chainguard/tritonserver-backend-vllm-cuda-12.9pkg:apk/wolfi/airflow-3pkg:apk/wolfi/open-webuipkg:apk/wolfi/py3-semgreppkg:apk/wolfi/reflexpkg:pypi/python-multipartpkg:rpm/opensuse/python-python-multipart&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-python-multipart&distro=openSUSE%20Leap%2016.0pkg:rpm/suse/python-python-multipart&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-python-multipart&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 3.1.6-r4+ 15 more
- (no CPE)range: < 3.1.6-r4
- (no CPE)range: < 3.1.6-r1
- (no CPE)range: < 1.81.3.0-r1
- (no CPE)range: < 0.8.3-r0
- (no CPE)range: < 1.150.0-r0
- (no CPE)range: < 0.8.27-r0
- (no CPE)range: < 25.9.0_git20251112-r6
- (no CPE)range: < 3.1.6-r4
- (no CPE)range: < 0.8.3-r0
- (no CPE)range: < 1.150.0-r0
- (no CPE)range: < 0.8.27-r0
- (no CPE)range: < 0.0.22
- (no CPE)range: < 0.0.9-150600.3.6.1
- (no CPE)range: < 0.0.20-160000.3.1
- (no CPE)range: < 0.0.20-160000.3.1
- (no CPE)range: < 0.0.20-160000.3.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-wp53-j4wj-2cfgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24486ghsaADVISORY
- github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4ghsax_refsource_MISCWEB
- github.com/Kludex/python-multipart/releases/tag/0.0.22ghsax_refsource_MISCWEB
- github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.