CVE-2026-32274: Black: Arbitrary file writes from unsanitized user input in cache file name

March 12, 2026 (updated March 13, 2026)

Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations.

References

github.com/advisories/GHSA-3936-cmfr-pm3m
github.com/psf/black
github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d
github.com/psf/black/pull/5038
github.com/psf/black/releases/tag/26.3.1
github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m
nvd.nist.gov/vuln/detail/CVE-2026-32274

Code Behaviors & Features

Detect and mitigate CVE-2026-32274 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →