VulnerableCode Package Details - pkg:pypi/werkzeug@3.1.5

Search for packages

Vulnerability	Summary	Fixed by
VCID-jxz2-8tqb-mbeg Aliases: CVE-2026-27199 GHSA-29vq-49wr-vm6x	Werkzeug safe_join() allows Windows special device names Werkzeug's `safe_join` function allows Windows device names as filenames if when preceded by other path segments. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that `safe_join` accepts paths with multiple segments, such as `example/NUL`. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.	3.1.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-jxz2-8tqb-mbeg
Aliases:
CVE-2026-27199
GHSA-29vq-49wr-vm6x

Werkzeug safe_join() allows Windows special device names Werkzeug's `safe_join` function allows Windows device names as filenames if when preceded by other path segments. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that `safe_join` accepts paths with multiple segments, such as `example/NUL`. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

3.1.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3mxv-vxtj-8kde	Werkzeug safe_join() allows Windows special device names with compound extensions Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as `CON.txt`, or trailing spaces such as `CON `. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the fix failed to account for compound extensions such as `CON.txt.html` or trailing spaces. It also missed some additional special names. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.	CVE-2026-21860 GHSA-87hc-h4r5-73f7

Vulnerability

Summary

Aliases

VCID-3mxv-vxtj-8kde

Werkzeug safe_join() allows Windows special device names with compound extensions Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as `CON.txt`, or trailing spaces such as `CON `. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the fix failed to account for compound extensions such as `CON.txt.html` or trailing spaces. It also missed some additional special names. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

CVE-2026-21860
GHSA-87hc-h4r5-73f7

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-29T23:02:41.826439+00:00	GitLab Importer	Affected by	VCID-jxz2-8tqb-mbeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-27199.yml	38.5.0
2026-04-17T00:19:35.797353+00:00	GitLab Importer	Affected by	VCID-jxz2-8tqb-mbeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-27199.yml	38.4.0
2026-04-12T01:43:59.294404+00:00	GitLab Importer	Affected by	VCID-jxz2-8tqb-mbeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-27199.yml	38.3.0
2026-04-03T01:52:50.928063+00:00	GitLab Importer	Affected by	VCID-jxz2-8tqb-mbeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-27199.yml	38.1.0
2026-04-01T16:07:30.845660+00:00	GHSA Importer	Fixing	VCID-3mxv-vxtj-8kde	https://github.com/advisories/GHSA-87hc-h4r5-73f7	38.0.0
2026-04-01T12:53:37.347979+00:00	GitLab Importer	Fixing	VCID-3mxv-vxtj-8kde	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-21860.yml	38.0.0
2026-04-01T12:52:23.876027+00:00	GithubOSV Importer	Fixing	VCID-3mxv-vxtj-8kde	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-87hc-h4r5-73f7/GHSA-87hc-h4r5-73f7.json	38.0.0