VulnerableCode Package Details - pkg:pypi/werkzeug@3.1.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-3mxv-vxtj-8kde Aliases: CVE-2026-21860 GHSA-87hc-h4r5-73f7	Werkzeug safe_join() allows Windows special device names with compound extensions Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as `CON.txt`, or trailing spaces such as `CON `. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the fix failed to account for compound extensions such as `CON.txt.html` or trailing spaces. It also missed some additional special names. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.	3.1.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-jxz2-8tqb-mbeg Aliases: CVE-2026-27199 GHSA-29vq-49wr-vm6x	Werkzeug safe_join() allows Windows special device names Werkzeug's `safe_join` function allows Windows device names as filenames if when preceded by other path segments. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that `safe_join` accepts paths with multiple segments, such as `example/NUL`. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.	3.1.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-3mxv-vxtj-8kde
Aliases:
CVE-2026-21860
GHSA-87hc-h4r5-73f7

Werkzeug safe_join() allows Windows special device names with compound extensions Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as `CON.txt`, or trailing spaces such as `CON `. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the fix failed to account for compound extensions such as `CON.txt.html` or trailing spaces. It also missed some additional special names. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

3.1.5
Affected by 1 other vulnerability.

VCID-jxz2-8tqb-mbeg
Aliases:
CVE-2026-27199
GHSA-29vq-49wr-vm6x

Werkzeug safe_join() allows Windows special device names Werkzeug's `safe_join` function allows Windows device names as filenames if when preceded by other path segments. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that `safe_join` accepts paths with multiple segments, such as `example/NUL`. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

3.1.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-6cpm-rdw8-7fh6	Werkzeug safe_join() allows Windows special device names Werkzeug's `safe_join` function allows path segments with Windows device names. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.	CVE-2025-66221 GHSA-hgf8-39gv-g3f2

Vulnerability

Summary

Aliases

VCID-6cpm-rdw8-7fh6

Werkzeug safe_join() allows Windows special device names Werkzeug's `safe_join` function allows path segments with Windows device names. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

CVE-2025-66221
GHSA-hgf8-39gv-g3f2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-29T23:02:41.823197+00:00	GitLab Importer	Affected by	VCID-jxz2-8tqb-mbeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-27199.yml	38.5.0
2026-04-29T22:49:04.957764+00:00	GitLab Importer	Affected by	VCID-3mxv-vxtj-8kde	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-21860.yml	38.5.0
2026-04-29T22:43:37.463805+00:00	GitLab Importer	Fixing	VCID-6cpm-rdw8-7fh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2025-66221.yml	38.5.0
2026-04-17T00:19:35.794069+00:00	GitLab Importer	Affected by	VCID-jxz2-8tqb-mbeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-27199.yml	38.4.0
2026-04-17T00:06:30.193940+00:00	GitLab Importer	Affected by	VCID-3mxv-vxtj-8kde	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-21860.yml	38.4.0
2026-04-17T00:01:11.692484+00:00	GitLab Importer	Fixing	VCID-6cpm-rdw8-7fh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2025-66221.yml	38.4.0
2026-04-12T01:43:59.290744+00:00	GitLab Importer	Affected by	VCID-jxz2-8tqb-mbeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-27199.yml	38.3.0
2026-04-12T01:29:50.900585+00:00	GitLab Importer	Affected by	VCID-3mxv-vxtj-8kde	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-21860.yml	38.3.0
2026-04-12T01:24:06.849752+00:00	GitLab Importer	Fixing	VCID-6cpm-rdw8-7fh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2025-66221.yml	38.3.0
2026-04-03T01:52:50.924148+00:00	GitLab Importer	Affected by	VCID-jxz2-8tqb-mbeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-27199.yml	38.1.0
2026-04-03T01:38:36.931594+00:00	GitLab Importer	Affected by	VCID-3mxv-vxtj-8kde	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-21860.yml	38.1.0
2026-04-03T01:32:45.731771+00:00	GitLab Importer	Fixing	VCID-6cpm-rdw8-7fh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2025-66221.yml	38.1.0
2026-04-01T16:07:13.452003+00:00	GHSA Importer	Fixing	VCID-6cpm-rdw8-7fh6	https://github.com/advisories/GHSA-hgf8-39gv-g3f2	38.0.0
2026-04-01T12:55:33.586929+00:00	GithubOSV Importer	Fixing	VCID-6cpm-rdw8-7fh6	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-hgf8-39gv-g3f2/GHSA-hgf8-39gv-g3f2.json	38.0.0
2026-04-01T12:53:27.158467+00:00	GitLab Importer	Fixing	VCID-6cpm-rdw8-7fh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2025-66221.yml	38.0.0