LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-27641

CVE-2026-27641 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: February 25, 2026

Flask-Reuploaded - Path Traversal & Remote Code Execution

Published: February 25, 2026Updated: February 25, 2026Remote Exploitable

Overview

Flask-Reuploaded < 1.5.0 contains a path traversal and extension bypass vulnerability caused by improper input validation in file uploads, letting remote attackers achieve arbitrary file write and remote code execution through SSTI, exploit requires crafted file upload with malicious name parameter.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 14.6%(Probability of exploitation in next 30 days)

Impact

Remote attackers can write arbitrary files and execute code remotely, potentially leading to full server compromise.

Mitigation

Upgrade to version 1.5.0 or later; avoid passing user input to the name parameter and implement strict input validation.

References

Social Media Activity(3 posts)

Offensive Sequence
Offensive Sequence
@offseq
Feb 25, 2026

šŸšØ CRITICAL: CVE-2026-27641 impacts flask-reuploaded < 1.5.0. SSTI lets remote attackers write files & execute code (CVSS 9.8) without auth. Upgrade to 1.5.0+ & validate all input. Details: https://radar.offseq.com/threat/cve-2026-27641-cwe-1336-improper-neutralization-of-693604e2 #OffSeq #CVE202627641 #SSTI #Python

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Feb 25, 2026

šŸ”“ CVE-2026-27641 - Critical (9.8) Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Templat... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-27641/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Feb 25, 2026

šŸ”“ CVE-2026-27641 - Critical (9.8) Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Templat... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-27641/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-27641
Severity
Critical
CVSS Score
9.8
Type
path_traversal
Status
unconfirmed
EPSS
14.6%
Social Posts
3

CWE

  • CWE-1336

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

14.6%Probability of exploitation in the next 30 days