CVE-2026-27641 is a critical security vulnerability identified in the flask-reuploaded Python package, versions prior to 1.5.0. Flask-Reuploaded is a Flask extension that facilitates file uploads in web applications. The vulnerability is classified under CWE-1336, which involves improper neutralization of special elements used in a template engine. Specifically, the flaw allows attackers to exploit Server-Side Template Injection (SSTI) by manipulating the 'name' parameter used in file uploads. This improper neutralization leads to a critical path traversal and extension bypass, enabling attackers to write arbitrary files on the server. By leveraging SSTI, attackers can execute arbitrary code remotely without requiring authentication or user interaction. The vulnerability has a CVSS 3.1 base score of 9.8, reflecting its high impact on confidentiality, integrity, and availability. The root cause is the unsafe handling of user input in template rendering, which allows malicious payloads to be injected and executed on the server side. The issue was addressed in flask-reuploaded version 1.5.0, which includes proper sanitization and safer handling of the 'name' parameter. Until upgrading, recommended workarounds include avoiding passing user input directly to the 'name' parameter, using auto-generated filenames, and applying strict input validation to prevent injection of malicious template code. No public exploits have been reported yet, but the vulnerability's nature and severity make it a prime target for attackers aiming to compromise Flask-based web applications.

The impact of CVE-2026-27641 is severe for organizations running Flask web applications that utilize flask-reuploaded versions prior to 1.5.0. Successful exploitation allows remote attackers to write arbitrary files to the server, potentially overwriting critical application files or placing web shells, leading to full remote code execution. This compromises the confidentiality, integrity, and availability of affected systems. Attackers can gain persistent access, escalate privileges, steal sensitive data, disrupt services, or pivot to internal networks. Given Flask's popularity in web development, many organizations including startups, enterprises, and government agencies could be affected. The vulnerability requires no authentication or user interaction, increasing the risk of automated exploitation and wormable attacks. The critical CVSS score of 9.8 underscores the potential for widespread damage, including data breaches, service outages, and reputational harm. Organizations failing to patch or mitigate this vulnerability face significant operational and security risks.

1. Upgrade flask-reuploaded to version 1.5.0 or later immediately to apply the official patch addressing this vulnerability. 2. Avoid passing user-supplied input to the 'name' parameter in file uploads; instead, use auto-generated filenames to eliminate injection vectors. 3. Implement strict input validation and sanitization on any user input that must be used in file naming or template rendering contexts, employing allowlists and rejecting suspicious characters or patterns. 4. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) configured to detect and block SSTI payloads and path traversal attempts targeting file upload endpoints. 5. Conduct thorough code reviews and security testing focusing on template rendering and file upload handling to identify and remediate similar injection flaws. 6. Monitor application logs and network traffic for unusual file write activities or template injection indicators. 7. Educate developers on secure coding practices related to template engines and file uploads to prevent recurrence. 8. If immediate upgrade is not possible, isolate the affected application environment and restrict access to minimize exposure.