CVE-2026-24486 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
A Path Traversal vulnerability exists when using non-default configuration options UPLOAD_DIR and UPLOAD_KEEP_FILENAME=True. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename.
When UPLOAD_DIR is set and UPLOAD_KEEP_FILENAME is True, the library constructs the file path using os.path.join(file_dir, fname). Due to the behavior of os.path.join(), if the filename begins with a /, all preceding path components are discarded:
os.path.join("/upload/dir", "/etc/malicious") == "/etc/malicious"
This allows an attacker to bypass the intended upload directory and write files to arbitrary paths.
Projects are only affected if all of the following are true:
UPLOAD_DIR is setUPLOAD_KEEP_FILENAME is set to TrueMAX_MEMORY_FILE_SIZE (triggering a flush to disk)The default configuration is not vulnerable.
Arbitrary file write to attacker-controlled paths on the filesystem.
Upgrade to version 0.0.22, or avoid using UPLOAD_KEEP_FILENAME=True in project configurations.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.