Relative Path Traversal Vulnerability in django-s3file by CodingJoe
CVE-2026-42196

9.9CRITICAL

Key Information:

Vendor: Codingjoe
Status: Django-s3file
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-42196?

The django-s3file library, which facilitates file uploads in Django applications utilizing Amazon S3, is susceptible to relative path traversal attacks. This vulnerability allows malicious actors to craft requests that can bypass pre-signed upload locations. By exploiting this flaw, attackers may manipulate the Django application to load files from unintended locations into request.FILES. Consequently, this could result in serious confidentiality and integrity concerns, depending on how the uploaded files are processed within the application. The issue is addressed in version 7.0.2.

Affected Version(s)

django-s3file < 7.0.2

References

https://github.com/codingjoe/django-s3file/security/advis...

x_refsource_CONFIRM

CVSS V4

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42196 Data

JSON

Codingjoe

What is CVE-2026-42196?

Affected Version(s)

References

CVSS V4

Timeline