django-s3file is vulnerable to relative path traversal — CVE-2026-42196
GitHub · GitHub · CVE-2026-42196
ID
CVE-2026-42196
CVE-2026-42196
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
critical
critical
CVSS
9.9
9.9
EPSS
0.00078
0.00078
Summary
### Impact `S3FileMiddleware` is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into `request.FILES` Depending on how files are handled, this may lead to confidentiality and integrity issues. ### Patches Django-S3File urges all users to update to a patched version…
Product
pip: django-s3file
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.