Main Vulnerability Database SB20260428227

SB20260428227 - Relative Path Traversal in django-s3file

Published: April 28, 2026

Security Bulletin ID SB20260428227

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Relative Path Traversal (CVE-ID: CVE-2026-42196)

The vulnerability allows a remote attacker to disclose sensitive information and modify data.

The vulnerability exists due to relative path traversal in S3FileMiddleware when handling a modified request for pre-signed upload locations. A remote attacker can send a specially crafted request to disclose sensitive information and modify data.

The issue can cause the Django application to load files from unintended locations into request.FILES.

Remediation

Install update from vendor's website.

References

https://github.com/codingjoe/django-s3file/security/advisories/GHSA-67qg-7284-2277
https://github.com/advisories/GHSA-67qg-7284-2277