diff --git a/CVE-2026-24486.patch b/CVE-2026-24486.patch
new file mode 100644
index 0000000..f23b229
--- /dev/null
+++ b/CVE-2026-24486.patch
@@ -0,0 +1,58 @@
+From 9433f4bbc9652bdde82bbe380984e32f8cfc89c4 Mon Sep 17 00:00:00 2001
+From: Marcelo Trylesinski <marcelotryle@gmail.com>
+Date: Sun, 25 Jan 2026 10:37:09 +0100
+Subject: [PATCH] Merge commit from fork
+
+---
+ python_multipart/multipart.py |  4 +++-
+ tests/test_file.py            | 26 ++++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+ create mode 100644 tests/test_file.py
+
+diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py
+index 0cc4c82..1489b7a 100644
+--- a/python_multipart/multipart.py
++++ b/python_multipart/multipart.py
+@@ -375,7 +375,9 @@ def __init__(self, file_name: bytes | None, field_name: bytes | None = None, con
+ 
+         # Split the extension from the filename.
+         if file_name is not None:
+-            base, ext = os.path.splitext(file_name)
++            # Extract just the basename to avoid directory traversal
++            basename = os.path.basename(file_name)
++            base, ext = os.path.splitext(basename)
+             self._file_base = base
+             self._ext = ext
+ 
+diff --git a/tests/test_file.py b/tests/test_file.py
+new file mode 100644
+index 0000000..4d65232
+--- /dev/null
++++ b/tests/test_file.py
+@@ -0,0 +1,26 @@
++from pathlib import Path
++
++from python_multipart.multipart import File
++
++
++def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path):
++    upload_dir = tmp_path / "upload"
++    upload_dir.mkdir()
++
++    # When the file_name provided has a leading slash, we should only use the basename.
++    # This is to avoid directory traversal.
++    to_upload = tmp_path / "foo.txt"
++
++    file = File(
++        bytes(to_upload),
++        config={
++            "UPLOAD_DIR": bytes(upload_dir),
++            "UPLOAD_KEEP_FILENAME": True,
++            "UPLOAD_KEEP_EXTENSIONS": True,
++            "MAX_MEMORY_FILE_SIZE": 10,
++        },
++    )
++    file.write(b"123456789012")
++    assert not file.in_memory
++    assert Path(upload_dir / "foo.txt").exists()
++    assert Path(upload_dir / "foo.txt").read_bytes() == b"123456789012"
diff --git a/python-python-multipart.changes b/python-python-multipart.changes
index 3f5f409..b7cea33 100644
--- a/python-python-multipart.changes
+++ b/python-python-multipart.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue Jan 27 09:01:01 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
+
+- Add CVE-2026-24486.patch to fix CVE-2026-24486 (bsc#1257301)
+
 -------------------------------------------------------------------
 Tue Feb  4 17:06:23 UTC 2025 - Dirk Müller <dmueller@suse.com>
 
diff --git a/python-python-multipart.spec b/python-python-multipart.spec
index 698e1e0..1a4040f 100644
--- a/python-python-multipart.spec
+++ b/python-python-multipart.spec
@@ -24,6 +24,8 @@ License:        Apache-2.0
 Summary:        Python streaming multipart parser
 URL:            http://github.com/Kludex/python-multipart
 Source:         https://files.pythonhosted.org/packages/source/p/python-multipart/python_multipart-%{version}.tar.gz
+# PATCH-FIX-UPSTREAM CVE-2026-24486.patch bsc#1257301 gh#Kludex/python-multipart@9433f4b
+Patch0:         CVE-2026-24486.patch
 BuildRequires:  %{python_module hatchling}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module wheel}