CVE-2026-28795: Python Unvalidated File Format Path Traversal
A function parameter is interpolated as a file extension into a filename f-string and then used to open or path-join a file, without first validating the parameter against an allowlist of permitted formats. Attackers can supply values such as "../../etc/cron.d/x" or dangerous extensions (".py", ".sh", ".php") to traverse outside the intended directory or wri
greprules fetch cve-2026-28795-python-unvalidated-file-format-path-traversal --engine opengrepDescription
A function parameter is interpolated as a file extension into a filename f-string and then used to open or path-join a file, without first validating the parameter against an allowlist of permitted formats. Attackers can supply values such as "../../etc/cron.d/x" or dangerous extensions (".py", ".sh", ".php") to traverse outside the intended directory or wri
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.