cvedb.io
CVE-2026-24486
HIGH · CVSS 8.6
EPSS exploitation probability: 0%
Published 2026-01-27T01:16:02.303 · Last modified 2026-06-30T03:17:37.980

Summary

Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations.

Affected products

fastapiexpert — python-multipart

Does this affect you?

Add your gear to cvedb and we'll alert you only when fastapiexpert ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.