Source: black Version: 26.1.0-1 Severity: important Tags: security upstream Forwarded: https://github.com/psf/black/pull/5038 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for black. CVE-2026-32274[0]: | Black is the uncompromising Python code formatter. Prior to 26.3.1, | Black writes a cache file, the name of which is computed from | various formatting options. The value of the --python-cell-magics | option was placed in the filename without sanitization, which | allowed an attacker who controls the value of this argument to write | cache files to arbitrary file system locations. Fixed in Black | 26.3.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-32274 https://www.cve.org/CVERecord?id=CVE-2026-32274 [1] https://github.com/psf/black/pull/5038 [2] https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m [3] https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d Please adjust the affected versions in the BTS as needed. Regards, Salvatore
