CVE-2026-27641 affects flask-reuploaded, a Flask extension that facilitates file uploads. The vulnerability arises from improper neutralization of special elements used in the template engine, classified under CWE-1336. This flaw enables a critical path traversal and extension bypass, allowing attackers to manipulate file paths and extensions during upload processing. Consequently, attackers can achieve arbitrary file writes on the server, which can be leveraged to execute malicious code remotely via Server-Side Template Injection (SSTI). The vulnerability affects all versions prior to 1.5.0 and requires no authentication or user interaction, making it highly exploitable over the network. The root cause is the unsafe handling of the 'name' parameter, which if populated with user input, can be exploited to inject malicious template code or traverse directories. The maintainers have patched this issue in flask-reuploaded 1.5.0. Until patching, recommended workarounds include never passing user input directly to the 'name' parameter, relying on auto-generated filenames, and enforcing strict validation on any user-supplied input used in filenames. This vulnerability poses a severe risk to web applications relying on flask-reuploaded for file uploads, as it compromises confidentiality, integrity, and availability by enabling remote code execution and arbitrary file manipulation.

The impact of CVE-2026-27641 is severe for organizations worldwide using flask-reuploaded in their Flask-based web applications. Exploitation allows attackers to write arbitrary files to the server, potentially overwriting critical files or uploading malicious payloads. This can lead to full remote code execution, enabling attackers to take complete control of affected systems. The breach of confidentiality can occur through unauthorized access to sensitive files, while integrity is compromised by unauthorized modifications. Availability may be disrupted if attackers delete or corrupt essential files or deploy ransomware. Given the ease of exploitation without authentication or user interaction, the vulnerability significantly increases the attack surface for web applications. Organizations in sectors such as finance, healthcare, e-commerce, and government, which often use Flask for web services, face heightened risks of data breaches, service disruption, and reputational damage. The critical CVSS score of 9.8 reflects the high likelihood and impact of exploitation.

To mitigate CVE-2026-27641, organizations should immediately upgrade flask-reuploaded to version 1.5.0 or later, where the vulnerability is patched. Until upgrading is possible, do not pass any user-supplied input to the 'name' parameter in file upload functions; instead, use auto-generated filenames to prevent injection of malicious template code or path traversal sequences. Implement strict input validation and sanitization if the 'name' parameter must be used, ensuring it does not contain special characters, directory traversal patterns, or template syntax. Conduct thorough code reviews and security testing focusing on file upload handling and template rendering logic. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with rules targeting SSTI and path traversal attempts to detect and block exploitation attempts. Monitor application logs for suspicious file upload activities and unexpected template errors. Finally, educate developers about secure file upload practices and the risks of injecting user input into template engines.