## Black Code Formatter Security Flaw (CVE-2026-32274): Arbitrary File Write via Cache Filename
A critical security vulnerability has been disclosed in the widely-used Python code formatter, Black. The flaw, tracked as CVE-2026-32274, stems from improper sanitization of user input when generating cache filenames. Specifically, the value of the `--python-cell-magics` command-line argument is incorporated into a cache file's name without validation. This design oversight allows an attacker who controls this argument to manipulate the resulting file path, enabling the writing of cache files to arbitrary locations on the file system.

The vulnerability resides in Black's caching mechanism, which is designed to speed up formatting by storing results. The cache filename is computed from a combination of formatting options. By injecting path traversal sequences (like `../`) or other malicious payloads into the `--python-cell-magics` option, an attacker can redirect the cache file's write operation outside the intended cache directory. This could lead to file corruption, denial of service, or potentially be leveraged in a broader attack chain if combined with other vulnerabilities.

The impact is significant for any development pipeline or automated tool that uses Black with untrusted input for the `--python-cell-magics` option. The maintainers, the Python Software Foundation (PSF), have released Black version 26.3.1 to address this issue. The fix involves sanitizing the input used in the filename generation. All users are urged to upgrade immediately. This incident highlights the security risks inherent in even mundane developer tools like code formatters, where caching logic can become a vector for exploitation if input validation is incomplete.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-32274, Python, Supply Chain Security, Code Formatter, Arbitrary File Write
- **Credibility**: unverified
- **Published**: 2026-03-26 16:27:21
- **ID**: 35777
- **URL**: https://whisperx.ai/en/intel/35777