Python-Multipart has Arbitrary File Write via Non-Default Configuration

🗓️ 26 Jan 2026 23:28:05Reported by GitHub Advisory DatabaseType

Python-Multipart traversal enables writes when UPLOAD_DIR is set and UPLOAD_KEEP_FILENAME is true.

Reporter	Title	Published	Views	Family All 65
IBM Security Bulletins	Security Bulletin: Maximo AI Service uses multiple third party dependencies which is vulnerable to multiple CVEs.	31 Mar 202613:54	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate with watsonx Assistant Cartridge	18 May 202607:00	–	ibm
IBM Security Bulletins	Security Bulletin: IBM watsonx.data integration has several vulnerabilities due to open source packages (CVE-2026-24486,CVE-2025-50537,CVE-2026-24688)	20 Mar 202616:40	–	ibm
IBM Security Bulletins	Security Bulletin: Platform Navigator in IBM Cloud Pak for Integration is vulnerable to vulnerability in python_multipart	10 Apr 202608:27	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Security QRadar EDR Software	2 Jun 202608:49	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses python_multipart-0.0.21-py3-none-any.whl which is vulnerable to CVE-2026-24486	6 Apr 202610:57	–	ibm
ATTACKERKB	CVE-2026-24486	27 Jan 202600:34	–	attackerkb
AlpineLinux	CVE-2026-24486	27 Jan 202600:34	–	alpinelinux
Chainguard	CVE-2026-24486 vulnerabilities	28 Jan 202607:17	–	cgr
Circl	CVE-2026-24486	27 Jan 202601:31	–	circl

Vulners

Node

Source	Link
github	www.github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg
github	www.github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4
github	www.github.com/Kludex/python-multipart/releases/tag/0.0.22
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-24486
github	www.github.com/advisories/GHSA-wp53-j4wj-2cfg

29 Jan 2026 03:24Current

6Medium risk

Vulners AI Score6

CVSS 3.17.5 - 8.6

EPSS0.01021

SSVC