Path Traversal in Psf Black

CVE-2026-32274

Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without s…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (6.8th percentile) — read the EPSS interpretation.

Affected products

Psf Black — versions < 26.3.1

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m (x_refsource_CONFIRM)
https://github.com/psf/black/pull/5038 (x_refsource_MISC)
https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d (x_refsource_MISC)
https://github.com/psf/black/releases/tag/26.3.1 (x_refsource_MISC)