Critical severity9.9GHSA Advisory· Published May 12, 2026· Updated May 13, 2026

CVE-2026-42196

Description

django-s3file is a lightweight file upload input for Django and Amazon S3. Prior to 7.0.2, S3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into request.FILES. Depending on how files are handled, this may lead to confidentiality and integrity issues. This vulnerability is fixed in 7.0.2.

Affected products

Codingjoe/Django S3fileGHSA
Range: <= 7.0.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-67qg-7284-2277ghsaADVISORY
github.com/codingjoe/django-s3file/security/advisories/GHSA-67qg-7284-2277nvd
nvd.nist.gov/vuln/detail/CVE-2026-42196ghsa

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000