VulnerableCode Package Details - pkg:pypi/werkzeug@3.1.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-3mxv-vxtj-8kde Aliases: CVE-2026-21860 GHSA-87hc-h4r5-73f7	Werkzeug safe_join() allows Windows special device names with compound extensions Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as `CON.txt`, or trailing spaces such as `CON `. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the fix failed to account for compound extensions such as `CON.txt.html` or trailing spaces. It also missed some additional special names. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.	3.1.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-6cpm-rdw8-7fh6 Aliases: CVE-2025-66221 GHSA-hgf8-39gv-g3f2	Werkzeug safe_join() allows Windows special device names Werkzeug's `safe_join` function allows path segments with Windows device names. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.	3.1.4 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-jxz2-8tqb-mbeg Aliases: CVE-2026-27199 GHSA-29vq-49wr-vm6x	Werkzeug safe_join() allows Windows special device names Werkzeug's `safe_join` function allows Windows device names as filenames if when preceded by other path segments. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that `safe_join` accepts paths with multiple segments, such as `example/NUL`. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.	3.1.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-3mxv-vxtj-8kde
Aliases:
CVE-2026-21860
GHSA-87hc-h4r5-73f7

Werkzeug safe_join() allows Windows special device names with compound extensions Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as `CON.txt`, or trailing spaces such as `CON `. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the fix failed to account for compound extensions such as `CON.txt.html` or trailing spaces. It also missed some additional special names. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

3.1.5
Affected by 1 other vulnerability.

VCID-6cpm-rdw8-7fh6
Aliases:
CVE-2025-66221
GHSA-hgf8-39gv-g3f2

Werkzeug safe_join() allows Windows special device names Werkzeug's `safe_join` function allows path segments with Windows device names. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

3.1.4
Affected by 2 other vulnerabilities.

VCID-jxz2-8tqb-mbeg
Aliases:
CVE-2026-27199
GHSA-29vq-49wr-vm6x

Werkzeug safe_join() allows Windows special device names Werkzeug's `safe_join` function allows Windows device names as filenames if when preceded by other path segments. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that `safe_join` accepts paths with multiple segments, such as `example/NUL`. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

3.1.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-29T23:02:41.816639+00:00	GitLab Importer	Affected by	VCID-jxz2-8tqb-mbeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-27199.yml	38.5.0
2026-04-29T22:49:04.951180+00:00	GitLab Importer	Affected by	VCID-3mxv-vxtj-8kde	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-21860.yml	38.5.0
2026-04-29T22:43:37.457356+00:00	GitLab Importer	Affected by	VCID-6cpm-rdw8-7fh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2025-66221.yml	38.5.0
2026-04-17T00:19:35.787413+00:00	GitLab Importer	Affected by	VCID-jxz2-8tqb-mbeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-27199.yml	38.4.0
2026-04-17T00:06:30.186935+00:00	GitLab Importer	Affected by	VCID-3mxv-vxtj-8kde	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-21860.yml	38.4.0
2026-04-17T00:01:11.686023+00:00	GitLab Importer	Affected by	VCID-6cpm-rdw8-7fh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2025-66221.yml	38.4.0
2026-04-12T01:43:59.283440+00:00	GitLab Importer	Affected by	VCID-jxz2-8tqb-mbeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-27199.yml	38.3.0
2026-04-12T01:29:50.892288+00:00	GitLab Importer	Affected by	VCID-3mxv-vxtj-8kde	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-21860.yml	38.3.0
2026-04-12T01:24:06.841543+00:00	GitLab Importer	Affected by	VCID-6cpm-rdw8-7fh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2025-66221.yml	38.3.0
2026-04-03T01:52:50.916303+00:00	GitLab Importer	Affected by	VCID-jxz2-8tqb-mbeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-27199.yml	38.1.0
2026-04-03T01:38:36.924163+00:00	GitLab Importer	Affected by	VCID-3mxv-vxtj-8kde	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-21860.yml	38.1.0
2026-04-03T01:32:45.724018+00:00	GitLab Importer	Affected by	VCID-6cpm-rdw8-7fh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2025-66221.yml	38.1.0