{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/flask-reuploaded--1.5.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:jugmac00:flask-reuploaded:*:*:*:*:*:python:*:*"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-27641"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Flask-Reuploaded \u003c= 1.5.0"],"_cs_severities":["high"],"_cs_tags":["web-vulnerability","file-upload","rce","python","flask","incomplete-fix"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability exists in the Flask-Reuploaded library, affecting all versions up to and including 1.5.0, stemming from an incomplete fix for CVE-2026-27641. This flaw allows attackers to bypass documented extension denylist mechanisms, specifically when a \u003ccode\u003ename\u003c/code\u003e override is provided to the \u003ccode\u003eUploadSet.save()\u003c/code\u003e function. The core issue lies in a case-folding asymmetry: the re-validation logic for the \u003ccode\u003ename\u003c/code\u003e override uses a case-preserving extension extractor, whereas the security policy's denied tokens are typically lowercase. This discrepancy enables attackers to upload files with mixed-case dangerous extensions, such as \u003ccode\u003eshell.PHP\u003c/code\u003e or \u003ccode\u003eevil.pHp\u003c/code\u003e, which would normally be blocked. If the application is deployed on a system with case-insensitive file resolution and execution, such as Windows or macOS filesystems, or specific web server configurations (e.g., Apache with \u003ccode\u003eAddHandler\u003c/code\u003e/\u003ccode\u003eAddType\u003c/code\u003e), successful exploitation leads to remote code execution under the web server's privileges, re-enabling the impact that the original CVE-2026-27641 aimed to prevent.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a web application utilizing Flask-Reuploaded and configured with an \u003ccode\u003eUploadSet\u003c/code\u003e that employs a denylist to prevent specific file types (e.g., scripts).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious file, such as a PHP web shell, specifically designed for remote code execution, (e.g., \u003ccode\u003eshell.PHP\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an authenticated HTTP request to the application's file upload endpoint, which uses the vulnerable \u003ccode\u003eUploadSet.save()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eWithin this request, the attacker supplies a \u003ccode\u003ename\u003c/code\u003e override parameter for the uploaded file, specifying the malicious filename with mixed casing (e.g., \u003ccode\u003ename=\u0026quot;shell.PHP\u0026quot;\u003c/code\u003e or \u003ccode\u003ename=\u0026quot;evil.pHp\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDue to the incomplete fix for CVE-2026-27641, the \u003ccode\u003eUploadSet.save()\u003c/code\u003e function's re-validation logic fails to normalize the mixed-case extension to lowercase, thus bypassing the configured denylist.\u003c/li\u003e\n\u003cli\u003eThe application saves the malicious file (e.g., \u003ccode\u003eshell.PHP\u003c/code\u003e) to the configured upload directory on the web server's filesystem.\u003c/li\u003e\n\u003cli\u003eThe attacker then makes a subsequent HTTP request to directly access the uploaded malicious file (e.g., \u003ccode\u003ehttp://example.com/uploads/shell.PHP?c=id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eOn a server environment where file extensions are resolved or executed case-insensitively (e.g., Windows/macOS filesystems or specific Apache \u003ccode\u003eAddHandler\u003c/code\u003e/\u003ccode\u003eAddType\u003c/code\u003e configurations), the web server executes the PHP web shell, granting the attacker remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this vulnerability bypasses Flask-Reuploaded's documented extension denylist mechanism for scripts and executables. This allows an attacker to upload and store files with dangerous, mixed-case extensions (e.g., \u003ccode\u003e.PHP\u003c/code\u003e, \u003ccode\u003e.pHp\u003c/code\u003e) within the application's served upload directory. The primary impact is remote code execution (RCE) under the web server's privileges if the affected application is hosted on a case-insensitive execution surface such as Windows or macOS filesystems, or if the web server (e.g., Apache) is configured to handle extensions case-insensitively. This outcome effectively re-enables the critical code execution risk that the original CVE-2026-27641 aimed to mitigate, potentially compromising the integrity, confidentiality, and availability of the affected web application and underlying server. Any web application using Flask-Reuploaded with a denylist configuration is susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate Flask-Reuploaded to a version that addresses the case-folding asymmetry in \u003ccode\u003eUploadSet.save()\u003c/code\u003e. The patch should normalize the extension before the policy check using \u003ccode\u003eext = extension(basename).lower()\u003c/code\u003e or \u003ccode\u003eextension(lowercase_ext(basename))\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, modify your Flask-Reuploaded configuration to make \u003ccode\u003eextension_allowed\u003c/code\u003e or the policy containers case-insensitive to ensure consistent evaluation of extensions.\u003c/li\u003e\n\u003cli\u003eAudit your application's file upload logic to ensure that user-supplied filenames are rigorously validated and processed using case-normalized extensions consistently across all security checks.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eattack.t1190\u003c/code\u003e rules in your SIEM to detect attempts to exploit public-facing applications through suspicious file uploads.\u003c/li\u003e\n\u003cli\u003eEnsure your log sources, particularly \u003ccode\u003ewebserver\u003c/code\u003e logs, capture full HTTP request details, including method, URI stem, and query parameters, to aid in investigating \u003ccode\u003eattack.t1190\u003c/code\u003e activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T20:12:56Z","date_published":"2026-07-17T20:12:56Z","id":"https://feed.craftedsignal.io/briefs/2026-07-flask-reuploaded-case-folding-bypass/","summary":"An incomplete fix for CVE-2026-27641 in Flask-Reuploaded versions up to and including 1.5.0 allows attackers to bypass extension denylists through case-folding asymmetry, enabling the upload of malicious files with dangerous extensions (e.g., shell.PHP) that can lead to remote code execution on case-insensitive execution environments.","title":"Flask-Reuploaded Extension Denylist Bypass via Case-Folding Asymmetry","url":"https://feed.craftedsignal.io/briefs/2026-07-flask-reuploaded-case-folding-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Flask-Reuploaded \u003c= 1.5.0","version":"https://jsonfeed.org/version/1.1"}