Platform
python
Component
black
Fixed in
26.3.2
26.3.1
CVE-2026-32274 describes an Arbitrary File Access vulnerability discovered in Black, a Python code formatter. This vulnerability allows an attacker to write cache files to arbitrary locations on the file system by manipulating the --python-cell-magics option. Versions of Black prior to 26.3.1 are affected. A fix has been released in version 26.3.1.
The core of this vulnerability lies in Black's cache file naming process. When formatting code, Black generates cache files to improve performance. The name of these files is derived from various formatting options, including the --python-cell-magics argument. Critically, the value provided to --python-cell-magics is incorporated into the filename without proper sanitization. An attacker who can control this argument can therefore dictate where Black writes its cache files, potentially overwriting critical system files or injecting malicious content. The blast radius extends to any system where Black is executed with untrusted input to the --python-cell-magics option, potentially leading to system compromise or denial of service.
As of the publication date (2026-03-12), this CVE is not listed on the CISA KEV catalog. Public proof-of-concept exploits are not currently known, but the vulnerability's ease of exploitation makes it a potential target for automated scanning and exploitation. The lack of sanitization in a widely used code formatter presents a significant attack surface.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
The primary mitigation for CVE-2026-32274 is to upgrade to Black version 26.3.1 or later, which includes the necessary sanitization to prevent arbitrary file writes. If upgrading is not immediately feasible, a workaround involves strictly controlling the input provided to the --python-cell-magics option. This can be achieved by validating the input to ensure it does not contain malicious characters or paths. Consider implementing input validation at the command-line interface or within the application that invokes Black. There are no specific WAF or proxy rules applicable, as the vulnerability resides within the Black application itself. After upgrading, confirm the fix by attempting to execute Black with a crafted --python-cell-magics argument containing a path traversal sequence (e.g., --python-cell-magics=../../../../etc/passwd) and verifying that the cache file is not written to the intended location.
Actualice Black a la versión 26.3.1 o superior. Esto corrige la vulnerabilidad que permite la escritura arbitraria de archivos debido a la falta de sanitización en la opción --python-cell-magics.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32274 is a HIGH severity vulnerability in Black versions ≤26.3.0 that allows attackers to write cache files to arbitrary locations due to unsanitized input to the --python-cell-magics option.
You are affected if you are using Black versions 26.3.0 or earlier and the --python-cell-magics option is exposed to untrusted input.
Upgrade to Black version 26.3.1 or later. As a temporary workaround, restrict user input to the --python-cell-magics option.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation makes it a potential target.
Refer to the Black project's official release notes and security advisories for details: [https://black.readthedocs.io/en/stable/](https://black.readthedocs.io/en/stable/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.