CPE
An incomplete fix for CVE-2026-27641 in Flask-Reuploaded versions up to and including 1.5.0 allows attackers to bypass extension denylists through case-folding asymmetry, enabling the upload of malicious files with dangerous extensions (e.g., shell.PHP) that can lead to remote code execution on case-insensitive execution environments.