python311-black-26.3.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:10372-1 Final 1 1 2026-03-14T00:00:00Z current 2026-03-14T00:00:00Z 2026-03-14T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python311-black-26.3.1-1.1 on GA media These are all security issues fixed in the python311-black-26.3.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2026-10372 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2026-31900/ SUSE CVE CVE-2026-31900 page https://www.suse.com/security/cve/CVE-2026-32274/ SUSE CVE CVE-2026-32274 page openSUSE Tumbleweed python311-black-26.3.1-1.1 python313-black-26.3.1-1.1 python311-black-26.3.1-1.1 as a component of openSUSE Tumbleweed python313-black-26.3.1-1.1 as a component of openSUSE Tumbleweed Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability. CVE-2026-31900 openSUSE Tumbleweed:python311-black-26.3.1-1.1 openSUSE Tumbleweed:python313-black-26.3.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-31900.html CVE-2026-31900 https://bugzilla.suse.com/1259546 SUSE Bug 1259546 Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1. CVE-2026-32274 openSUSE Tumbleweed:python311-black-26.3.1-1.1 openSUSE Tumbleweed:python313-black-26.3.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-32274.html CVE-2026-32274 https://bugzilla.suse.com/1259608 SUSE Bug 1259608