Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/werkzeug@0.11.6

Type pypi

Namespace

Name werkzeug

Version 0.11.6

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 3.1.6

Latest_non_vulnerable_version 3.1.6

Affected_by_vulnerabilities

url VCID-19qx-5d4g-pfdn

vulnerability_id VCID-19qx-5d4g-pfdn

summary

Werkzeug safe_join not safe on Windows
On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49766.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49766.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-49766

reference_id

reference_type

scores

value	0.01392
scoring_system	epss
scoring_elements	0.80369
published_at	2026-04-13T12:55:00Z

value	0.01392
scoring_system	epss
scoring_elements	0.80375
published_at	2026-04-12T12:55:00Z

value	0.01392
scoring_system	epss
scoring_elements	0.8039
published_at	2026-04-11T12:55:00Z

value	0.01392
scoring_system	epss
scoring_elements	0.80372
published_at	2026-04-09T12:55:00Z

value	0.01392
scoring_system	epss
scoring_elements	0.80361
published_at	2026-04-08T12:55:00Z

value	0.01392
scoring_system	epss
scoring_elements	0.80333
published_at	2026-04-07T12:55:00Z

value	0.01392
scoring_system	epss
scoring_elements	0.80344
published_at	2026-04-04T12:55:00Z

value	0.01392
scoring_system	epss
scoring_elements	0.80324
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-49766

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/pallets/werkzeug

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug

reference_url

https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:08:46Z/

url

https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092

reference_url

https://github.com/pallets/werkzeug/releases/tag/3.0.6

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:08:46Z/

url

https://github.com/pallets/werkzeug/releases/tag/3.0.6

reference_url

https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:08:46Z/

url

https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-49766

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-49766

reference_url

https://security.netapp.com/advisory/ntap-20250131-0005

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20250131-0005

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2321828
reference_id	2321828
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2321828

reference_url

https://github.com/advisories/GHSA-f9vj-2wh5-fj8j

reference_id

GHSA-f9vj-2wh5-fj8j

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-f9vj-2wh5-fj8j

fixed_packages

url pkg:pypi/werkzeug@3.0.6

purl pkg:pypi/werkzeug@3.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3mxv-vxtj-8kde

vulnerability	VCID-6cpm-rdw8-7fh6

vulnerability	VCID-jxz2-8tqb-mbeg

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@3.0.6

aliases CVE-2024-49766, GHSA-f9vj-2wh5-fj8j

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-19qx-5d4g-pfdn

url VCID-1qj3-zz1y-2ydy

vulnerability_id VCID-1qj3-zz1y-2ydy

summary Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.

references

reference_url	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html

reference_url	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html
reference_id
reference_type
scores
url	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html

reference_url	https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168
reference_id
reference_type
scores
url	https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168

reference_url	https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246
reference_id
reference_type
scores
url	https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246

reference_url	https://palletsprojects.com/blog/werkzeug-0-15-3-released/
reference_id
reference_type
scores
url	https://palletsprojects.com/blog/werkzeug-0-15-3-released/

fixed_packages

url pkg:pypi/werkzeug@0.15.3

purl pkg:pypi/werkzeug@0.15.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19qx-5d4g-pfdn

vulnerability	VCID-3mxv-vxtj-8kde

vulnerability	VCID-6cpm-rdw8-7fh6

vulnerability	VCID-bxfr-hpkh-cyby

vulnerability	VCID-fkmf-d4ju-bbc3

vulnerability	VCID-gv2s-q6ga-23gr

vulnerability	VCID-jxz2-8tqb-mbeg

vulnerability	VCID-kycs-rbvn-z3e7

vulnerability	VCID-myg8-m4rh-ruae

vulnerability	VCID-qjcy-54yn-qybs

vulnerability	VCID-qn4r-71h3-sbgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@0.15.3

aliases PYSEC-2019-70

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1qj3-zz1y-2ydy

url VCID-3mxv-vxtj-8kde

vulnerability_id VCID-3mxv-vxtj-8kde

summary

Werkzeug safe_join() allows Windows special device names with compound extensions
Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as `CON.txt`, or trailing spaces such as `CON `.

This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the fix failed to account for compound extensions such as `CON.txt.html` or trailing spaces. It also missed some additional special names.

`send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-21860

reference_id

reference_type

scores

value	0.00022
scoring_system	epss
scoring_elements	0.05881
published_at	2026-04-02T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05946
published_at	2026-04-13T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05955
published_at	2026-04-12T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05965
published_at	2026-04-11T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05983
published_at	2026-04-09T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05944
published_at	2026-04-08T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05905
published_at	2026-04-07T12:55:00Z

value	0.00022
scoring_system	epss
scoring_elements	0.05914
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-21860

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/pallets/werkzeug

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug

reference_url

https://github.com/pallets/werkzeug/commit/7ae1d254e04a0c33e241ac1cca4783ce6c875ca3

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T18:50:24Z/

url

https://github.com/pallets/werkzeug/commit/7ae1d254e04a0c33e241ac1cca4783ce6c875ca3

reference_url

https://github.com/pallets/werkzeug/security/advisories/GHSA-87hc-h4r5-73f7

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T18:50:24Z/

url

https://github.com/pallets/werkzeug/security/advisories/GHSA-87hc-h4r5-73f7

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-21860

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-21860

reference_url

https://github.com/advisories/GHSA-87hc-h4r5-73f7

reference_id

GHSA-87hc-h4r5-73f7

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-87hc-h4r5-73f7

fixed_packages

url pkg:pypi/werkzeug@3.1.5

purl pkg:pypi/werkzeug@3.1.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-jxz2-8tqb-mbeg

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@3.1.5

aliases CVE-2026-21860, GHSA-87hc-h4r5-73f7

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3mxv-vxtj-8kde

url VCID-3t8t-yt9b-1fce

vulnerability_id VCID-3t8t-yt9b-1fce

summary Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message.

references

reference_url

http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger

reference_url	http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger/
reference_id
reference_type
scores
url	http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger/

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-10516.json

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-10516.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2016-10516

reference_id

reference_type

scores

value	0.00314
scoring_system	epss
scoring_elements	0.54554
published_at	2026-04-04T12:55:00Z

value	0.00314
scoring_system	epss
scoring_elements	0.5453
published_at	2026-04-02T12:55:00Z

value	0.00314
scoring_system	epss
scoring_elements	0.54455
published_at	2026-04-01T12:55:00Z

value	0.00411
scoring_system	epss
scoring_elements	0.61371
published_at	2026-04-13T12:55:00Z

value	0.00411
scoring_system	epss
scoring_elements	0.61321
published_at	2026-04-07T12:55:00Z

value	0.00411
scoring_system	epss
scoring_elements	0.61368
published_at	2026-04-08T12:55:00Z

value	0.00411
scoring_system	epss
scoring_elements	0.61384
published_at	2026-04-09T12:55:00Z

value	0.00411
scoring_system	epss
scoring_elements	0.61405
published_at	2026-04-11T12:55:00Z

value	0.00411
scoring_system	epss
scoring_elements	0.6139
published_at	2026-04-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2016-10516

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10516
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10516

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4
scoring_system	cvssv2
scoring_elements	AV:N/AC:H/Au:N/C:P/I:P/A:N

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/advisories/GHSA-h2fp-xgx6-xh6f

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-h2fp-xgx6-xh6f

reference_url

https://github.com/pallets/werkzeug

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug

reference_url

https://github.com/pallets/werkzeug/commit/1034edc7f901dd645ec6e462754111b39002bd65

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug/commit/1034edc7f901dd645ec6e462754111b39002bd65

reference_url

https://github.com/pallets/werkzeug/pull/1001

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug/pull/1001

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2017-43.yaml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2017-43.yaml

reference_url

https://lists.debian.org/debian-lts-announce/2017/11/msg00037.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2017/11/msg00037.html

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1512102
reference_id	1512102
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1512102

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:palletsprojects:werkzeug::::::::
reference_id	cpe:2.3:a:palletsprojects:werkzeug::::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:palletsprojects:werkzeug::::::::

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2016-10516

reference_id

CVE-2016-10516

reference_type

scores

value	4.3
scoring_system	cvssv2
scoring_elements	AV:N/AC:M/Au:N/C:N/I:P/A:N

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2016-10516

reference_url	https://usn.ubuntu.com/3463-1/
reference_id	USN-3463-1
reference_type
scores
url	https://usn.ubuntu.com/3463-1/

fixed_packages

url pkg:pypi/werkzeug@0.11.11

purl pkg:pypi/werkzeug@0.11.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19qx-5d4g-pfdn

vulnerability	VCID-1qj3-zz1y-2ydy

vulnerability	VCID-3mxv-vxtj-8kde

vulnerability	VCID-56e9-csba-kqa8

vulnerability	VCID-6cpm-rdw8-7fh6

vulnerability	VCID-bxfr-hpkh-cyby

vulnerability	VCID-fkmf-d4ju-bbc3

vulnerability	VCID-gv2s-q6ga-23gr

vulnerability	VCID-jxz2-8tqb-mbeg

vulnerability	VCID-kycs-rbvn-z3e7

vulnerability	VCID-myg8-m4rh-ruae

vulnerability	VCID-qjcy-54yn-qybs

vulnerability	VCID-qn4r-71h3-sbgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@0.11.11

aliases CVE-2016-10516, GHSA-h2fp-xgx6-xh6f, PYSEC-2017-43

risk_score 3.2

exploitability 0.5

weighted_severity 6.4

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3t8t-yt9b-1fce

url VCID-56e9-csba-kqa8

vulnerability_id VCID-56e9-csba-kqa8

summary Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.

references

reference_url

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html

reference_url

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14806.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14806.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-14806

reference_id

reference_type

scores

value	0.00264
scoring_system	epss
scoring_elements	0.49744
published_at	2026-04-13T12:55:00Z

value	0.00264
scoring_system	epss
scoring_elements	0.49688
published_at	2026-04-01T12:55:00Z

value	0.00264
scoring_system	epss
scoring_elements	0.49725
published_at	2026-04-02T12:55:00Z

value	0.00264
scoring_system	epss
scoring_elements	0.49752
published_at	2026-04-04T12:55:00Z

value	0.00264
scoring_system	epss
scoring_elements	0.49703
published_at	2026-04-07T12:55:00Z

value	0.00264
scoring_system	epss
scoring_elements	0.49758
published_at	2026-04-08T12:55:00Z

value	0.00264
scoring_system	epss
scoring_elements	0.49753
published_at	2026-04-09T12:55:00Z

value	0.00264
scoring_system	epss
scoring_elements	0.49771
published_at	2026-04-11T12:55:00Z

value	0.00264
scoring_system	epss
scoring_elements	0.49743
published_at	2026-04-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-14806

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14806
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14806

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/advisories/GHSA-gq9m-qvpx-68hc

reference_id

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-gq9m-qvpx-68hc

reference_url

https://github.com/pallets/werkzeug

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug

reference_url

https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168

reference_url

https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2019-140.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2019-140.yaml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-14806

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-14806

reference_url

https://palletsprojects.com/blog/werkzeug-0-15-3-released

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://palletsprojects.com/blog/werkzeug-0-15-3-released

reference_url	https://palletsprojects.com/blog/werkzeug-0-15-3-released/
reference_id
reference_type
scores
url	https://palletsprojects.com/blog/werkzeug-0-15-3-released/

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1771359
reference_id	1771359
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1771359

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940935
reference_id	940935
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940935

reference_url	https://usn.ubuntu.com/4655-1/
reference_id	USN-4655-1
reference_type
scores
url	https://usn.ubuntu.com/4655-1/

fixed_packages

url pkg:pypi/werkzeug@0.15.3

purl pkg:pypi/werkzeug@0.15.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19qx-5d4g-pfdn

vulnerability	VCID-3mxv-vxtj-8kde

vulnerability	VCID-6cpm-rdw8-7fh6

vulnerability	VCID-bxfr-hpkh-cyby

vulnerability	VCID-fkmf-d4ju-bbc3

vulnerability	VCID-gv2s-q6ga-23gr

vulnerability	VCID-jxz2-8tqb-mbeg

vulnerability	VCID-kycs-rbvn-z3e7

vulnerability	VCID-myg8-m4rh-ruae

vulnerability	VCID-qjcy-54yn-qybs

vulnerability	VCID-qn4r-71h3-sbgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@0.15.3

aliases CVE-2019-14806, GHSA-gq9m-qvpx-68hc, PYSEC-2019-140

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-56e9-csba-kqa8

url VCID-6cpm-rdw8-7fh6

vulnerability_id VCID-6cpm-rdw8-7fh6

summary

Werkzeug safe_join() allows Windows special device names
Werkzeug's `safe_join` function allows path segments with Windows device names. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66221.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66221.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-66221

reference_id

reference_type

scores

value	0.00032
scoring_system	epss
scoring_elements	0.09225
published_at	2026-04-13T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.09239
published_at	2026-04-12T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.0927
published_at	2026-04-11T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.09268
published_at	2026-04-09T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.0923
published_at	2026-04-08T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.09149
published_at	2026-04-07T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.09226
published_at	2026-04-04T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.0918
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-66221

reference_url

https://github.com/pallets/werkzeug

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug

reference_url

https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-01T15:35:05Z/

url

https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13

reference_url

https://github.com/pallets/werkzeug/releases/tag/3.1.4

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-01T15:35:05Z/

url

https://github.com/pallets/werkzeug/releases/tag/3.1.4

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2417789
reference_id	2417789
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2417789

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-66221

reference_id

CVE-2025-66221

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-66221

reference_url

https://github.com/advisories/GHSA-hgf8-39gv-g3f2

reference_id

GHSA-hgf8-39gv-g3f2

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hgf8-39gv-g3f2

reference_url

https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2

reference_id

GHSA-hgf8-39gv-g3f2

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-01T15:35:05Z/

url

https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2

fixed_packages

url pkg:pypi/werkzeug@3.1.4

purl pkg:pypi/werkzeug@3.1.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3mxv-vxtj-8kde

vulnerability	VCID-jxz2-8tqb-mbeg

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@3.1.4

aliases CVE-2025-66221, GHSA-hgf8-39gv-g3f2

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6cpm-rdw8-7fh6

url VCID-bxfr-hpkh-cyby

vulnerability_id VCID-bxfr-hpkh-cyby

summary Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46136.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46136.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-46136

reference_id

reference_type

scores

value	0.00555
scoring_system	epss
scoring_elements	0.68063
published_at	2026-04-02T12:55:00Z

value	0.00622
scoring_system	epss
scoring_elements	0.70109
published_at	2026-04-12T12:55:00Z

value	0.00622
scoring_system	epss
scoring_elements	0.70123
published_at	2026-04-11T12:55:00Z

value	0.00622
scoring_system	epss
scoring_elements	0.701
published_at	2026-04-09T12:55:00Z

value	0.00622
scoring_system	epss
scoring_elements	0.70084
published_at	2026-04-08T12:55:00Z

value	0.00622
scoring_system	epss
scoring_elements	0.70036
published_at	2026-04-07T12:55:00Z

value	0.00622
scoring_system	epss
scoring_elements	0.70059
published_at	2026-04-04T12:55:00Z

value	0.00622
scoring_system	epss
scoring_elements	0.70096
published_at	2026-04-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-46136

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/pallets/werkzeug

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug

reference_url

https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1

reference_url

https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9

reference_url

https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2

reference_url

https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-221.yaml

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-221.yaml

reference_url

https://security.netapp.com/advisory/ntap-20231124-0008

reference_id

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20231124-0008

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054553
reference_id	1054553
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054553

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2246310
reference_id	2246310
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2246310

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-46136

reference_id

CVE-2023-46136

reference_type

scores

value	5.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-46136

reference_url

https://github.com/advisories/GHSA-hrfv-mqp8-q5rw

reference_id

GHSA-hrfv-mqp8-q5rw

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hrfv-mqp8-q5rw

reference_url	https://access.redhat.com/errata/RHSA-2023:7473
reference_id	RHSA-2023:7473
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7473

reference_url	https://access.redhat.com/errata/RHSA-2023:7477
reference_id	RHSA-2023:7477
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7477

reference_url	https://access.redhat.com/errata/RHSA-2023:7610
reference_id	RHSA-2023:7610
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7610

reference_url	https://access.redhat.com/errata/RHSA-2024:0189
reference_id	RHSA-2024:0189
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0189

reference_url	https://access.redhat.com/errata/RHSA-2024:0214
reference_id	RHSA-2024:0214
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0214

reference_url	https://access.redhat.com/errata/RHSA-2025:9775
reference_id	RHSA-2025:9775
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:9775

fixed_packages

url pkg:pypi/werkzeug@2.3.8

purl pkg:pypi/werkzeug@2.3.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19qx-5d4g-pfdn

vulnerability	VCID-3mxv-vxtj-8kde

vulnerability	VCID-6cpm-rdw8-7fh6

vulnerability	VCID-jxz2-8tqb-mbeg

vulnerability	VCID-myg8-m4rh-ruae

vulnerability	VCID-qjcy-54yn-qybs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@2.3.8

url pkg:pypi/werkzeug@3.0.1

purl pkg:pypi/werkzeug@3.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19qx-5d4g-pfdn

vulnerability	VCID-3mxv-vxtj-8kde

vulnerability	VCID-6cpm-rdw8-7fh6

vulnerability	VCID-jxz2-8tqb-mbeg

vulnerability	VCID-myg8-m4rh-ruae

vulnerability	VCID-qjcy-54yn-qybs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@3.0.1

aliases CVE-2023-46136, GHSA-hrfv-mqp8-q5rw, PYSEC-2023-221

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bxfr-hpkh-cyby

url VCID-fkmf-d4ju-bbc3

vulnerability_id VCID-fkmf-d4ju-bbc3

summary ** DISPUTED ** Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project.

references

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29361.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29361.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-29361

reference_id

reference_type

scores

value	0.31113
scoring_system	epss
scoring_elements	0.96727
published_at	2026-04-02T12:55:00Z

value	0.31113
scoring_system	epss
scoring_elements	0.96729
published_at	2026-04-04T12:55:00Z

value	0.31113
scoring_system	epss
scoring_elements	0.96733
published_at	2026-04-07T12:55:00Z

value	0.31113
scoring_system	epss
scoring_elements	0.96741
published_at	2026-04-08T12:55:00Z

value	0.31113
scoring_system	epss
scoring_elements	0.96742
published_at	2026-04-09T12:55:00Z

value	0.31113
scoring_system	epss
scoring_elements	0.96745
published_at	2026-04-12T12:55:00Z

value	0.31113
scoring_system	epss
scoring_elements	0.96747
published_at	2026-04-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-29361

reference_url	https://github.com/pallets/werkzeug/commit/9a3a981d70d2e9ec3344b5192f86fcaf3210cd85
reference_id
reference_type
scores
url	https://github.com/pallets/werkzeug/commit/9a3a981d70d2e9ec3344b5192f86fcaf3210cd85

reference_url	https://github.com/pallets/werkzeug/issues/2420
reference_id
reference_type
scores
url	https://github.com/pallets/werkzeug/issues/2420

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2253045
reference_id	2253045
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2253045

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2022-29361
reference_id	CVE-2022-29361
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2022-29361

fixed_packages

url pkg:pypi/werkzeug@2.1.1

purl pkg:pypi/werkzeug@2.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19qx-5d4g-pfdn

vulnerability	VCID-3mxv-vxtj-8kde

vulnerability	VCID-6cpm-rdw8-7fh6

vulnerability	VCID-bxfr-hpkh-cyby

vulnerability	VCID-jxz2-8tqb-mbeg

vulnerability	VCID-kycs-rbvn-z3e7

vulnerability	VCID-myg8-m4rh-ruae

vulnerability	VCID-qjcy-54yn-qybs

vulnerability	VCID-qn4r-71h3-sbgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@2.1.1

aliases CVE-2022-29361, PYSEC-2022-203

risk_score 0.1

exploitability 0.5

weighted_severity 0.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fkmf-d4ju-bbc3

url VCID-gv2s-q6ga-23gr

vulnerability_id VCID-gv2s-q6ga-23gr

summary

Pallets Werkzeug vulnerable to Path Traversal
In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.

references

reference_url

http://packetstormsecurity.com/files/163398/Pallets-Werkzeug-0.15.4-Path-Traversal.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://packetstormsecurity.com/files/163398/Pallets-Werkzeug-0.15.4-Path-Traversal.html

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-14322

reference_id

reference_type

scores

value	0.90059
scoring_system	epss
scoring_elements	0.99584
published_at	2026-04-13T12:55:00Z

value	0.90059
scoring_system	epss
scoring_elements	0.9958
published_at	2026-04-01T12:55:00Z

value	0.90059
scoring_system	epss
scoring_elements	0.99581
published_at	2026-04-02T12:55:00Z

value	0.90059
scoring_system	epss
scoring_elements	0.99582
published_at	2026-04-04T12:55:00Z

value	0.90059
scoring_system	epss
scoring_elements	0.99583
published_at	2026-04-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-14322

reference_url

https://github.com/pallets/werkzeug

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-14322

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-14322

reference_url

https://palletsprojects.com/blog/werkzeug-0-15-5-released

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://palletsprojects.com/blog/werkzeug-0-15-5-released

reference_url	https://palletsprojects.com/blog/werkzeug-0-15-5-released/
reference_id
reference_type
scores
url	https://palletsprojects.com/blog/werkzeug-0-15-5-released/

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/webapps/50101.py
reference_id	CVE-2019-14322
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/webapps/50101.py

reference_url

https://github.com/advisories/GHSA-j544-7q9p-6xp8

reference_id

GHSA-j544-7q9p-6xp8

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-j544-7q9p-6xp8

fixed_packages

url pkg:pypi/werkzeug@0.15.5

purl pkg:pypi/werkzeug@0.15.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19qx-5d4g-pfdn

vulnerability	VCID-3mxv-vxtj-8kde

vulnerability	VCID-6cpm-rdw8-7fh6

vulnerability	VCID-bxfr-hpkh-cyby

vulnerability	VCID-fkmf-d4ju-bbc3

vulnerability	VCID-jxz2-8tqb-mbeg

vulnerability	VCID-kycs-rbvn-z3e7

vulnerability	VCID-myg8-m4rh-ruae

vulnerability	VCID-qjcy-54yn-qybs

vulnerability	VCID-qn4r-71h3-sbgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@0.15.5

aliases CVE-2019-14322, GHSA-j544-7q9p-6xp8

risk_score 10.0

exploitability 2.0

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gv2s-q6ga-23gr

url VCID-jxz2-8tqb-mbeg

vulnerability_id VCID-jxz2-8tqb-mbeg

summary

Werkzeug safe_join() allows Windows special device names
Werkzeug's `safe_join` function allows Windows device names as filenames if when preceded by other path segments.

This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that `safe_join` accepts paths with multiple segments, such as `example/NUL`.

`send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-27199

reference_id

reference_type

scores

value	0.0002
scoring_system	epss
scoring_elements	0.05298
published_at	2026-04-02T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05357
published_at	2026-04-13T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05366
published_at	2026-04-12T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05377
published_at	2026-04-11T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05409
published_at	2026-04-09T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05386
published_at	2026-04-08T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05352
published_at	2026-04-07T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.0533
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-27199

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/pallets/werkzeug

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug

reference_url

https://github.com/pallets/werkzeug/commit/f407712fdc60a09c2b3f4fe7db557703e5d9338d

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:02:05Z/

url

https://github.com/pallets/werkzeug/commit/f407712fdc60a09c2b3f4fe7db557703e5d9338d

reference_url

https://github.com/pallets/werkzeug/releases/tag/3.1.6

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:02:05Z/

url

https://github.com/pallets/werkzeug/releases/tag/3.1.6

reference_url

https://github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6x

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:02:05Z/

url

https://github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6x

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-27199

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-27199

reference_url

https://github.com/advisories/GHSA-29vq-49wr-vm6x

reference_id

GHSA-29vq-49wr-vm6x

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-29vq-49wr-vm6x

fixed_packages

url	pkg:pypi/werkzeug@3.1.6
purl	pkg:pypi/werkzeug@3.1.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@3.1.6

aliases CVE-2026-27199, GHSA-29vq-49wr-vm6x

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jxz2-8tqb-mbeg

url VCID-kycs-rbvn-z3e7

vulnerability_id VCID-kycs-rbvn-z3e7

summary Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23934.json

reference_id

reference_type

scores

value	2.6
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23934.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-23934

reference_id

reference_type

scores

value	0.00267
scoring_system	epss
scoring_elements	0.5014
published_at	2026-04-13T12:55:00Z

value	0.00267
scoring_system	epss
scoring_elements	0.50143
published_at	2026-04-12T12:55:00Z

value	0.00267
scoring_system	epss
scoring_elements	0.5017
published_at	2026-04-11T12:55:00Z

value	0.00267
scoring_system	epss
scoring_elements	0.50153
published_at	2026-04-09T12:55:00Z

value	0.00267
scoring_system	epss
scoring_elements	0.50159
published_at	2026-04-08T12:55:00Z

value	0.00267
scoring_system	epss
scoring_elements	0.50105
published_at	2026-04-07T12:55:00Z

value	0.00267
scoring_system	epss
scoring_elements	0.50155
published_at	2026-04-04T12:55:00Z

value	0.00267
scoring_system	epss
scoring_elements	0.50127
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-23934

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23934
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23934

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25577

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	2.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/pallets/werkzeug

reference_id

reference_type

scores

value	2.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug

reference_url

https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028

reference_id

reference_type

scores

value	2.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:57:36Z/

url

https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028

reference_url

https://github.com/pallets/werkzeug/releases/tag/2.2.3

reference_id

reference_type

scores

value	2.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:57:36Z/

url

https://github.com/pallets/werkzeug/releases/tag/2.2.3

reference_url

https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q

reference_id

reference_type

scores

value	2.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:57:36Z/

url

https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-57.yaml

reference_id

reference_type

scores

value	2.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-57.yaml

reference_url

https://security.netapp.com/advisory/ntap-20230818-0003

reference_id

reference_type

scores

value	2.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20230818-0003

reference_url

https://www.debian.org/security/2023/dsa-5470

reference_id

reference_type

scores

value	2.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:57:36Z/

url

https://www.debian.org/security/2023/dsa-5470

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031370
reference_id	1031370
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031370

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2170243
reference_id	2170243
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2170243

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-23934

reference_id

CVE-2023-23934

reference_type

scores

value	2.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-23934

reference_url

https://github.com/advisories/GHSA-px8h-6qxv-m22q

reference_id

GHSA-px8h-6qxv-m22q

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-px8h-6qxv-m22q

reference_url

https://security.netapp.com/advisory/ntap-20230818-0003/

reference_id

ntap-20230818-0003

reference_type

scores

value	2.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:57:36Z/

url

https://security.netapp.com/advisory/ntap-20230818-0003/

reference_url	https://access.redhat.com/errata/RHSA-2023:1018
reference_id	RHSA-2023:1018
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1018

reference_url	https://access.redhat.com/errata/RHSA-2025:4664
reference_id	RHSA-2025:4664
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:4664

reference_url	https://access.redhat.com/errata/RHSA-2025:9775
reference_id	RHSA-2025:9775
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:9775

reference_url	https://usn.ubuntu.com/5948-1/
reference_id	USN-5948-1
reference_type
scores
url	https://usn.ubuntu.com/5948-1/

reference_url	https://usn.ubuntu.com/5948-2/
reference_id	USN-5948-2
reference_type
scores
url	https://usn.ubuntu.com/5948-2/

fixed_packages

url pkg:pypi/werkzeug@2.2.3

purl pkg:pypi/werkzeug@2.2.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19qx-5d4g-pfdn

vulnerability	VCID-3mxv-vxtj-8kde

vulnerability	VCID-6cpm-rdw8-7fh6

vulnerability	VCID-bxfr-hpkh-cyby

vulnerability	VCID-jxz2-8tqb-mbeg

vulnerability	VCID-myg8-m4rh-ruae

vulnerability	VCID-qjcy-54yn-qybs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@2.2.3

aliases CVE-2023-23934, GHSA-px8h-6qxv-m22q, PYSEC-2023-57

risk_score 1.4

exploitability 0.5

weighted_severity 2.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kycs-rbvn-z3e7

url VCID-myg8-m4rh-ruae

vulnerability_id VCID-myg8-m4rh-ruae

summary

Werkzeug possible resource exhaustion when parsing file data in forms
Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass the `Request.max_form_memory_size` setting.


The `Request.max_content_length` setting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49767.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49767.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-49767

reference_id

reference_type

scores

value	0.0109
scoring_system	epss
scoring_elements	0.77939
published_at	2026-04-13T12:55:00Z

value	0.0109
scoring_system	epss
scoring_elements	0.7794
published_at	2026-04-12T12:55:00Z

value	0.0109
scoring_system	epss
scoring_elements	0.77956
published_at	2026-04-11T12:55:00Z

value	0.0109
scoring_system	epss
scoring_elements	0.7793
published_at	2026-04-09T12:55:00Z

value	0.0109
scoring_system	epss
scoring_elements	0.77926
published_at	2026-04-08T12:55:00Z

value	0.0109
scoring_system	epss
scoring_elements	0.77888
published_at	2026-04-02T12:55:00Z

value	0.0109
scoring_system	epss
scoring_elements	0.77899
published_at	2026-04-07T12:55:00Z

value	0.0109
scoring_system	epss
scoring_elements	0.77916
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-49767

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49767
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49767

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:06:53Z/

url

https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee

reference_url

https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:06:53Z/

url

https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f

reference_url

https://github.com/pallets/werkzeug

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug

reference_url

https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:06:53Z/

url

https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b

reference_url

https://github.com/pallets/werkzeug/releases/tag/3.0.6

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:06:53Z/

url

https://github.com/pallets/werkzeug/releases/tag/3.0.6

reference_url

https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:06:53Z/

url

https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-49767

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-49767

reference_url

https://security.netapp.com/advisory/ntap-20250103-0007

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20250103-0007

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086062
reference_id	1086062
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086062

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086063
reference_id	1086063
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086063

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2321829
reference_id	2321829
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2321829

reference_url

https://github.com/advisories/GHSA-q34m-jh98-gwm2

reference_id

GHSA-q34m-jh98-gwm2

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-q34m-jh98-gwm2

reference_url	https://access.redhat.com/errata/RHSA-2024:10852
reference_id	RHSA-2024:10852
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:10852

reference_url	https://access.redhat.com/errata/RHSA-2025:1448
reference_id	RHSA-2025:1448
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:1448

reference_url	https://usn.ubuntu.com/7093-1/
reference_id	USN-7093-1
reference_type
scores
url	https://usn.ubuntu.com/7093-1/

fixed_packages

url pkg:pypi/werkzeug@3.0.6

purl pkg:pypi/werkzeug@3.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3mxv-vxtj-8kde

vulnerability	VCID-6cpm-rdw8-7fh6

vulnerability	VCID-jxz2-8tqb-mbeg

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@3.0.6

aliases CVE-2024-49767, GHSA-q34m-jh98-gwm2

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-myg8-m4rh-ruae

url VCID-qjcy-54yn-qybs

vulnerability_id VCID-qjcy-54yn-qybs

summary

Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34069.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34069.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-34069

reference_id

reference_type

scores

value	0.38929
scoring_system	epss
scoring_elements	0.97266
published_at	2026-04-13T12:55:00Z

value	0.38929
scoring_system	epss
scoring_elements	0.97265
published_at	2026-04-12T12:55:00Z

value	0.38929
scoring_system	epss
scoring_elements	0.97264
published_at	2026-04-11T12:55:00Z

value	0.38929
scoring_system	epss
scoring_elements	0.97261
published_at	2026-04-09T12:55:00Z

value	0.38929
scoring_system	epss
scoring_elements	0.9726
published_at	2026-04-08T12:55:00Z

value	0.38929
scoring_system	epss
scoring_elements	0.97247
published_at	2026-04-02T12:55:00Z

value	0.38929
scoring_system	epss
scoring_elements	0.97253
published_at	2026-04-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-34069

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34069
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34069

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/pallets/werkzeug

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug

reference_url

https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-12T19:54:35Z/

url

https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692

reference_url

https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-12T19:54:35Z/

url

https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985

reference_url

https://lists.debian.org/debian-lts-announce/2025/02/msg00026.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/02/msg00026.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-34069

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-34069

reference_url

https://security.netapp.com/advisory/ntap-20240614-0004

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240614-0004

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070711
reference_id	1070711
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070711

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2279451
reference_id	2279451
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2279451

reference_url

https://github.com/advisories/GHSA-2g68-c3qc-8985

reference_id

GHSA-2g68-c3qc-8985

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-2g68-c3qc-8985

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/

reference_id

H4SH32AM3CTPMAAEOIDAN7VU565LO4IR

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-12T19:54:35Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/

reference_id

HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-12T19:54:35Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ/

reference_url

https://security.netapp.com/advisory/ntap-20240614-0004/

reference_id

ntap-20240614-0004

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-06-12T19:54:35Z/

url

https://security.netapp.com/advisory/ntap-20240614-0004/

reference_url	https://access.redhat.com/errata/RHSA-2024:10696
reference_id	RHSA-2024:10696
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:10696

reference_url	https://access.redhat.com/errata/RHSA-2024:5107
reference_id	RHSA-2024:5107
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5107

reference_url	https://access.redhat.com/errata/RHSA-2024:5439
reference_id	RHSA-2024:5439
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5439

reference_url	https://access.redhat.com/errata/RHSA-2024:5810
reference_id	RHSA-2024:5810
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5810

reference_url	https://access.redhat.com/errata/RHSA-2024:6016
reference_id	RHSA-2024:6016
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6016

reference_url	https://access.redhat.com/errata/RHSA-2024:9975
reference_id	RHSA-2024:9975
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:9975

reference_url	https://access.redhat.com/errata/RHSA-2024:9976
reference_id	RHSA-2024:9976
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:9976

reference_url	https://access.redhat.com/errata/RHSA-2025:4664
reference_id	RHSA-2025:4664
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:4664

reference_url	https://access.redhat.com/errata/RHSA-2025:9340
reference_id	RHSA-2025:9340
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:9340

reference_url	https://usn.ubuntu.com/6799-1/
reference_id	USN-6799-1
reference_type
scores
url	https://usn.ubuntu.com/6799-1/

fixed_packages

url pkg:pypi/werkzeug@3.0.3

purl pkg:pypi/werkzeug@3.0.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19qx-5d4g-pfdn

vulnerability	VCID-3mxv-vxtj-8kde

vulnerability	VCID-6cpm-rdw8-7fh6

vulnerability	VCID-jxz2-8tqb-mbeg

vulnerability	VCID-myg8-m4rh-ruae

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@3.0.3

aliases CVE-2024-34069, GHSA-2g68-c3qc-8985

risk_score 10.0

exploitability 2.0

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qjcy-54yn-qybs

url VCID-qn4r-71h3-sbgb

vulnerability_id VCID-qn4r-71h3-sbgb

summary Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25577.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-25577.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-25577

reference_id

reference_type

scores

value	0.00366
scoring_system	epss
scoring_elements	0.58609
published_at	2026-04-13T12:55:00Z

value	0.00366
scoring_system	epss
scoring_elements	0.58629
published_at	2026-04-12T12:55:00Z

value	0.00366
scoring_system	epss
scoring_elements	0.58648
published_at	2026-04-11T12:55:00Z

value	0.00366
scoring_system	epss
scoring_elements	0.58632
published_at	2026-04-09T12:55:00Z

value	0.00366
scoring_system	epss
scoring_elements	0.58625
published_at	2026-04-08T12:55:00Z

value	0.00366
scoring_system	epss
scoring_elements	0.58573
published_at	2026-04-07T12:55:00Z

value	0.00366
scoring_system	epss
scoring_elements	0.58603
published_at	2026-04-04T12:55:00Z

value	0.00366
scoring_system	epss
scoring_elements	0.58583
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-25577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23934
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23934

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25577

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/pallets/werkzeug

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug

reference_url

https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:37Z/

url

https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1

reference_url

https://github.com/pallets/werkzeug/releases/tag/2.2.3

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:37Z/

url

https://github.com/pallets/werkzeug/releases/tag/2.2.3

reference_url

https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:37Z/

url

https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-58.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-58.yaml

reference_url

https://security.netapp.com/advisory/ntap-20230818-0003

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20230818-0003

reference_url

https://www.debian.org/security/2023/dsa-5470

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:37Z/

url

https://www.debian.org/security/2023/dsa-5470

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031370
reference_id	1031370
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031370

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2170242
reference_id	2170242
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2170242

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-25577

reference_id

CVE-2023-25577

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-25577

reference_url

https://github.com/advisories/GHSA-xg9f-g7g7-2323

reference_id

GHSA-xg9f-g7g7-2323

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xg9f-g7g7-2323

reference_url

https://security.netapp.com/advisory/ntap-20230818-0003/

reference_id

ntap-20230818-0003

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:37Z/

url

https://security.netapp.com/advisory/ntap-20230818-0003/

reference_url	https://access.redhat.com/errata/RHSA-2023:1018
reference_id	RHSA-2023:1018
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1018

reference_url	https://access.redhat.com/errata/RHSA-2023:1281
reference_id	RHSA-2023:1281
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1281

reference_url	https://access.redhat.com/errata/RHSA-2023:1325
reference_id	RHSA-2023:1325
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1325

reference_url	https://access.redhat.com/errata/RHSA-2023:7341
reference_id	RHSA-2023:7341
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7341

reference_url	https://access.redhat.com/errata/RHSA-2023:7473
reference_id	RHSA-2023:7473
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7473

reference_url	https://access.redhat.com/errata/RHSA-2025:4664
reference_id	RHSA-2025:4664
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:4664

reference_url	https://access.redhat.com/errata/RHSA-2025:9775
reference_id	RHSA-2025:9775
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:9775

reference_url	https://usn.ubuntu.com/5948-1/
reference_id	USN-5948-1
reference_type
scores
url	https://usn.ubuntu.com/5948-1/

reference_url	https://usn.ubuntu.com/5948-2/
reference_id	USN-5948-2
reference_type
scores
url	https://usn.ubuntu.com/5948-2/

fixed_packages

url pkg:pypi/werkzeug@2.2.3

purl pkg:pypi/werkzeug@2.2.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19qx-5d4g-pfdn

vulnerability	VCID-3mxv-vxtj-8kde

vulnerability	VCID-6cpm-rdw8-7fh6

vulnerability	VCID-bxfr-hpkh-cyby

vulnerability	VCID-jxz2-8tqb-mbeg

vulnerability	VCID-myg8-m4rh-ruae

vulnerability	VCID-qjcy-54yn-qybs

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@2.2.3

aliases CVE-2023-25577, GHSA-xg9f-g7g7-2323, PYSEC-2023-58

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qn4r-71h3-sbgb

Fixing_vulnerabilities

url VCID-q13z-976n-gke3

vulnerability_id VCID-q13z-976n-gke3

summary Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28724.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28724.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-28724

reference_id

reference_type

scores

value	0.00923
scoring_system	epss
scoring_elements	0.75984
published_at	2026-04-13T12:55:00Z

value	0.00923
scoring_system	epss
scoring_elements	0.7599
published_at	2026-04-12T12:55:00Z

value	0.00923
scoring_system	epss
scoring_elements	0.76013
published_at	2026-04-11T12:55:00Z

value	0.00923
scoring_system	epss
scoring_elements	0.75926
published_at	2026-04-01T12:55:00Z

value	0.00923
scoring_system	epss
scoring_elements	0.75989
published_at	2026-04-09T12:55:00Z

value	0.00923
scoring_system	epss
scoring_elements	0.75974
published_at	2026-04-08T12:55:00Z

value	0.00923
scoring_system	epss
scoring_elements	0.75941
published_at	2026-04-07T12:55:00Z

value	0.00923
scoring_system	epss
scoring_elements	0.75962
published_at	2026-04-04T12:55:00Z

value	0.00923
scoring_system	epss
scoring_elements	0.7593
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-28724

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28724
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28724

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/advisories/GHSA-3p3h-qghp-hvh2

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3p3h-qghp-hvh2

reference_url

https://github.com/pallets/flask/issues/1639

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/flask/issues/1639

reference_url

https://github.com/pallets/werkzeug

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug

reference_url

https://github.com/pallets/werkzeug/issues/822

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug/issues/822

reference_url

https://github.com/pallets/werkzeug/pull/890/files

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pallets/werkzeug/pull/890/files

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2020-157.yaml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2020-157.yaml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-28724

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-28724

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1899267
reference_id	1899267
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1899267

reference_url	https://usn.ubuntu.com/4655-1/
reference_id	USN-4655-1
reference_type
scores
url	https://usn.ubuntu.com/4655-1/

fixed_packages

url pkg:pypi/werkzeug@0.11.6

purl pkg:pypi/werkzeug@0.11.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-19qx-5d4g-pfdn

vulnerability	VCID-1qj3-zz1y-2ydy

vulnerability	VCID-3mxv-vxtj-8kde

vulnerability	VCID-3t8t-yt9b-1fce

vulnerability	VCID-56e9-csba-kqa8

vulnerability	VCID-6cpm-rdw8-7fh6

vulnerability	VCID-bxfr-hpkh-cyby

vulnerability	VCID-fkmf-d4ju-bbc3

vulnerability	VCID-gv2s-q6ga-23gr

vulnerability	VCID-jxz2-8tqb-mbeg

vulnerability	VCID-kycs-rbvn-z3e7

vulnerability	VCID-myg8-m4rh-ruae

vulnerability	VCID-qjcy-54yn-qybs

vulnerability	VCID-qn4r-71h3-sbgb

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@0.11.6

aliases CVE-2020-28724, GHSA-3p3h-qghp-hvh2, PYSEC-2020-157

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q13z-976n-gke3

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/werkzeug@0.11.6

Package Instance