Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:deb/debian/python-werkzeug@0?distro=trixie
Typedeb
Namespacedebian
Namepython-werkzeug
Version0
Qualifiers
distro trixie
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version0.11.9+dfsg1-1
Latest_non_vulnerable_version3.1.8-1
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-7c89-xxdz-gqbz
vulnerability_id VCID-7c89-xxdz-gqbz
summary
references
0
reference_url http://packetstormsecurity.com/files/163398/Pallets-Werkzeug-0.15.4-Path-Traversal.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/163398/Pallets-Werkzeug-0.15.4-Path-Traversal.html
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-14322
reference_id
reference_type
scores
0
value 0.90059
scoring_system epss
scoring_elements 0.99601
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-14322
2
reference_url https://github.com/pallets/werkzeug
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pallets/werkzeug
3
reference_url https://palletsprojects.com/blog/werkzeug-0-15-5-released
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://palletsprojects.com/blog/werkzeug-0-15-5-released
4
reference_url https://palletsprojects.com/blog/werkzeug-0-15-5-released/
reference_id
reference_type
scores
url https://palletsprojects.com/blog/werkzeug-0-15-5-released/
5
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/webapps/50101.py
reference_id CVE-2019-14322
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/webapps/50101.py
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-14322
reference_id CVE-2019-14322
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-14322
fixed_packages
0
url pkg:deb/debian/python-werkzeug@0?distro=trixie
purl pkg:deb/debian/python-werkzeug@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@0%3Fdistro=trixie
1
url pkg:deb/debian/python-werkzeug@1.0.1%2Bdfsg1-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/python-werkzeug@1.0.1%2Bdfsg1-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@1.0.1%252Bdfsg1-2%252Bdeb11u1%3Fdistro=trixie
2
url pkg:deb/debian/python-werkzeug@2.2.2-3%2Bdeb12u1?distro=trixie
purl pkg:deb/debian/python-werkzeug@2.2.2-3%2Bdeb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@2.2.2-3%252Bdeb12u1%3Fdistro=trixie
3
url pkg:deb/debian/python-werkzeug@3.1.3-2?distro=trixie
purl pkg:deb/debian/python-werkzeug@3.1.3-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@3.1.3-2%3Fdistro=trixie
4
url pkg:deb/debian/python-werkzeug@3.1.8-1?distro=trixie
purl pkg:deb/debian/python-werkzeug@3.1.8-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@3.1.8-1%3Fdistro=trixie
aliases CVE-2019-14322, GHSA-j544-7q9p-6xp8
risk_score 1.6
exploitability 2.0
weighted_severity 0.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7c89-xxdz-gqbz
1
url VCID-99ba-wcdr-1fax
vulnerability_id VCID-99ba-wcdr-1fax
summary 
Werkzeug safe_join() allows Windows special device names with compound extensions
Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as `CON.txt`, or trailing spaces such as `CON `.

This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the fix failed to account for compound extensions such as `CON.txt.html` or trailing spaces. It also missed some additional special names.

`send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-21860
reference_id
reference_type
scores
0
value 0.00034
scoring_system epss
scoring_elements 0.10464
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-21860
1
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2
reference_url https://github.com/pallets/werkzeug
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pallets/werkzeug
3
reference_url https://github.com/pallets/werkzeug/commit/7ae1d254e04a0c33e241ac1cca4783ce6c875ca3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T18:50:24Z/
url https://github.com/pallets/werkzeug/commit/7ae1d254e04a0c33e241ac1cca4783ce6c875ca3
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-21860
reference_id CVE-2026-21860
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-21860
5
reference_url https://github.com/advisories/GHSA-87hc-h4r5-73f7
reference_id GHSA-87hc-h4r5-73f7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-87hc-h4r5-73f7
6
reference_url https://github.com/pallets/werkzeug/security/advisories/GHSA-87hc-h4r5-73f7
reference_id GHSA-87hc-h4r5-73f7
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T18:50:24Z/
url https://github.com/pallets/werkzeug/security/advisories/GHSA-87hc-h4r5-73f7
fixed_packages
0
url pkg:deb/debian/python-werkzeug@0?distro=trixie
purl pkg:deb/debian/python-werkzeug@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@0%3Fdistro=trixie
1
url pkg:deb/debian/python-werkzeug@1.0.1%2Bdfsg1-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/python-werkzeug@1.0.1%2Bdfsg1-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@1.0.1%252Bdfsg1-2%252Bdeb11u1%3Fdistro=trixie
2
url pkg:deb/debian/python-werkzeug@2.2.2-3%2Bdeb12u1?distro=trixie
purl pkg:deb/debian/python-werkzeug@2.2.2-3%2Bdeb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@2.2.2-3%252Bdeb12u1%3Fdistro=trixie
3
url pkg:deb/debian/python-werkzeug@3.1.3-2?distro=trixie
purl pkg:deb/debian/python-werkzeug@3.1.3-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@3.1.3-2%3Fdistro=trixie
4
url pkg:deb/debian/python-werkzeug@3.1.8-1?distro=trixie
purl pkg:deb/debian/python-werkzeug@3.1.8-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@3.1.8-1%3Fdistro=trixie
aliases CVE-2026-21860, GHSA-87hc-h4r5-73f7
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-99ba-wcdr-1fax
2
url VCID-d1v7-6zwj-3qb1
vulnerability_id VCID-d1v7-6zwj-3qb1
summary
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49766.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49766.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-49766
reference_id
reference_type
scores
0
value 0.01392
scoring_system epss
scoring_elements 0.80685
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-49766
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/pallets/werkzeug
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pallets/werkzeug
4
reference_url https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:08:46Z/
url https://github.com/pallets/werkzeug/commit/2767bcb10a7dd1c297d812cc5e6d11a474c1f092
5
reference_url https://github.com/pallets/werkzeug/releases/tag/3.0.6
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:08:46Z/
url https://github.com/pallets/werkzeug/releases/tag/3.0.6
6
reference_url https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:08:46Z/
url https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-49766
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-49766
8
reference_url https://security.netapp.com/advisory/ntap-20250131-0005
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250131-0005
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2321828
reference_id 2321828
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2321828
10
reference_url https://github.com/advisories/GHSA-f9vj-2wh5-fj8j
reference_id GHSA-f9vj-2wh5-fj8j
reference_type
scores
url https://github.com/advisories/GHSA-f9vj-2wh5-fj8j
fixed_packages
0
url pkg:deb/debian/python-werkzeug@0?distro=trixie
purl pkg:deb/debian/python-werkzeug@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@0%3Fdistro=trixie
1
url pkg:deb/debian/python-werkzeug@1.0.1%2Bdfsg1-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/python-werkzeug@1.0.1%2Bdfsg1-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@1.0.1%252Bdfsg1-2%252Bdeb11u1%3Fdistro=trixie
2
url pkg:deb/debian/python-werkzeug@2.2.2-3%2Bdeb12u1?distro=trixie
purl pkg:deb/debian/python-werkzeug@2.2.2-3%2Bdeb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@2.2.2-3%252Bdeb12u1%3Fdistro=trixie
3
url pkg:deb/debian/python-werkzeug@3.1.3-2?distro=trixie
purl pkg:deb/debian/python-werkzeug@3.1.3-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@3.1.3-2%3Fdistro=trixie
4
url pkg:deb/debian/python-werkzeug@3.1.8-1?distro=trixie
purl pkg:deb/debian/python-werkzeug@3.1.8-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@3.1.8-1%3Fdistro=trixie
aliases CVE-2024-49766, GHSA-f9vj-2wh5-fj8j
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d1v7-6zwj-3qb1
3
url VCID-q2zh-uejx-pkax
vulnerability_id VCID-q2zh-uejx-pkax
summary Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46136.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46136.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-46136
reference_id
reference_type
scores
0
value 0.00878
scoring_system epss
scoring_elements 0.75641
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-46136
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/pallets/werkzeug
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pallets/werkzeug
4
reference_url https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1
5
reference_url https://github.com/pallets/werkzeug/commit/cbb446fdcada7685fce936ded01b76c08dbd6eb5
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pallets/werkzeug/commit/cbb446fdcada7685fce936ded01b76c08dbd6eb5
6
reference_url https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9
7
reference_url https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2
8
reference_url https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
9
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-221.yaml
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-221.yaml
10
reference_url https://security.netapp.com/advisory/ntap-20231124-0008
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20231124-0008
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054553
reference_id 1054553
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054553
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2246310
reference_id 2246310
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2246310
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-46136
reference_id CVE-2023-46136
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-46136
14
reference_url https://github.com/advisories/GHSA-hrfv-mqp8-q5rw
reference_id GHSA-hrfv-mqp8-q5rw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hrfv-mqp8-q5rw
15
reference_url https://access.redhat.com/errata/RHSA-2023:7473
reference_id RHSA-2023:7473
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7473
16
reference_url https://access.redhat.com/errata/RHSA-2023:7477
reference_id RHSA-2023:7477
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7477
17
reference_url https://access.redhat.com/errata/RHSA-2023:7610
reference_id RHSA-2023:7610
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7610
18
reference_url https://access.redhat.com/errata/RHSA-2024:0189
reference_id RHSA-2024:0189
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0189
19
reference_url https://access.redhat.com/errata/RHSA-2024:0214
reference_id RHSA-2024:0214
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0214
20
reference_url https://access.redhat.com/errata/RHSA-2025:9775
reference_id RHSA-2025:9775
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:9775
fixed_packages
0
url pkg:deb/debian/python-werkzeug@0?distro=trixie
purl pkg:deb/debian/python-werkzeug@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@0%3Fdistro=trixie
1
url pkg:deb/debian/python-werkzeug@1.0.1%2Bdfsg1-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/python-werkzeug@1.0.1%2Bdfsg1-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@1.0.1%252Bdfsg1-2%252Bdeb11u1%3Fdistro=trixie
2
url pkg:deb/debian/python-werkzeug@2.2.2-3%2Bdeb12u1?distro=trixie
purl pkg:deb/debian/python-werkzeug@2.2.2-3%2Bdeb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@2.2.2-3%252Bdeb12u1%3Fdistro=trixie
3
url pkg:deb/debian/python-werkzeug@3.0.1-2?distro=trixie
purl pkg:deb/debian/python-werkzeug@3.0.1-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@3.0.1-2%3Fdistro=trixie
4
url pkg:deb/debian/python-werkzeug@3.1.3-2?distro=trixie
purl pkg:deb/debian/python-werkzeug@3.1.3-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@3.1.3-2%3Fdistro=trixie
5
url pkg:deb/debian/python-werkzeug@3.1.8-1?distro=trixie
purl pkg:deb/debian/python-werkzeug@3.1.8-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@3.1.8-1%3Fdistro=trixie
aliases CVE-2023-46136, GHSA-hrfv-mqp8-q5rw, PYSEC-2023-221
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q2zh-uejx-pkax
4
url VCID-swe1-e5n3-6kc1
vulnerability_id VCID-swe1-e5n3-6kc1
summary 
Werkzeug safe_join() allows Windows special device names
Werkzeug's `safe_join` function allows Windows device names as filenames if when preceded by other path segments.

This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that `safe_join` accepts paths with multiple segments, such as `example/NUL`.

`send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27199
reference_id
reference_type
scores
0
value 0.00027
scoring_system epss
scoring_elements 0.08359
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27199
1
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2
reference_url https://github.com/pallets/werkzeug
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pallets/werkzeug
3
reference_url https://github.com/pallets/werkzeug/commit/f407712fdc60a09c2b3f4fe7db557703e5d9338d
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:02:05Z/
url https://github.com/pallets/werkzeug/commit/f407712fdc60a09c2b3f4fe7db557703e5d9338d
4
reference_url https://github.com/pallets/werkzeug/releases/tag/3.1.6
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:02:05Z/
url https://github.com/pallets/werkzeug/releases/tag/3.1.6
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27199
reference_id CVE-2026-27199
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27199
6
reference_url https://github.com/advisories/GHSA-29vq-49wr-vm6x
reference_id GHSA-29vq-49wr-vm6x
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-29vq-49wr-vm6x
7
reference_url https://github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6x
reference_id GHSA-29vq-49wr-vm6x
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:02:05Z/
url https://github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6x
fixed_packages
0
url pkg:deb/debian/python-werkzeug@0?distro=trixie
purl pkg:deb/debian/python-werkzeug@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@0%3Fdistro=trixie
1
url pkg:deb/debian/python-werkzeug@1.0.1%2Bdfsg1-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/python-werkzeug@1.0.1%2Bdfsg1-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@1.0.1%252Bdfsg1-2%252Bdeb11u1%3Fdistro=trixie
2
url pkg:deb/debian/python-werkzeug@2.2.2-3%2Bdeb12u1?distro=trixie
purl pkg:deb/debian/python-werkzeug@2.2.2-3%2Bdeb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@2.2.2-3%252Bdeb12u1%3Fdistro=trixie
3
url pkg:deb/debian/python-werkzeug@3.1.3-2?distro=trixie
purl pkg:deb/debian/python-werkzeug@3.1.3-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@3.1.3-2%3Fdistro=trixie
4
url pkg:deb/debian/python-werkzeug@3.1.8-1?distro=trixie
purl pkg:deb/debian/python-werkzeug@3.1.8-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@3.1.8-1%3Fdistro=trixie
aliases CVE-2026-27199, GHSA-29vq-49wr-vm6x
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-swe1-e5n3-6kc1
5
url VCID-u44p-7huz-zfe8
vulnerability_id VCID-u44p-7huz-zfe8
summary
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49767.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-49767.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-49767
reference_id
reference_type
scores
0
value 0.0112
scoring_system epss
scoring_elements 0.78552
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-49767
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:06:53Z/
url https://github.com/pallets/quart/commit/5e78c4169b8eb66b91ead3e62d44721b9e1644ee
4
reference_url https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:06:53Z/
url https://github.com/pallets/quart/commit/abb04a512496206de279225340ed022852fbf51f
5
reference_url https://github.com/pallets/werkzeug
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pallets/werkzeug
6
reference_url https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:06:53Z/
url https://github.com/pallets/werkzeug/commit/50cfeebcb0727e18cc52ffbeb125f4a66551179b
7
reference_url https://github.com/pallets/werkzeug/commit/cbb446fdcada7685fce936ded01b76c08dbd6eb5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pallets/werkzeug/commit/cbb446fdcada7685fce936ded01b76c08dbd6eb5
8
reference_url https://github.com/pallets/werkzeug/releases/tag/3.0.6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:06:53Z/
url https://github.com/pallets/werkzeug/releases/tag/3.0.6
9
reference_url https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-25T20:06:53Z/
url https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-49767
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-49767
11
reference_url https://security.netapp.com/advisory/ntap-20250103-0007
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250103-0007
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086062
reference_id 1086062
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086062
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086063
reference_id 1086063
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086063
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2321829
reference_id 2321829
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2321829
15
reference_url https://github.com/advisories/GHSA-q34m-jh98-gwm2
reference_id GHSA-q34m-jh98-gwm2
reference_type
scores
url https://github.com/advisories/GHSA-q34m-jh98-gwm2
16
reference_url https://access.redhat.com/errata/RHSA-2024:10852
reference_id RHSA-2024:10852
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10852
17
reference_url https://access.redhat.com/errata/RHSA-2025:1448
reference_id RHSA-2025:1448
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1448
18
reference_url https://usn.ubuntu.com/7093-1/
reference_id USN-7093-1
reference_type
scores
url https://usn.ubuntu.com/7093-1/
fixed_packages
0
url pkg:deb/debian/python-werkzeug@0?distro=trixie
purl pkg:deb/debian/python-werkzeug@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@0%3Fdistro=trixie
1
url pkg:deb/debian/python-werkzeug@1.0.1%2Bdfsg1-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/python-werkzeug@1.0.1%2Bdfsg1-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@1.0.1%252Bdfsg1-2%252Bdeb11u1%3Fdistro=trixie
2
url pkg:deb/debian/python-werkzeug@2.2.2-3%2Bdeb12u1?distro=trixie
purl pkg:deb/debian/python-werkzeug@2.2.2-3%2Bdeb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@2.2.2-3%252Bdeb12u1%3Fdistro=trixie
3
url pkg:deb/debian/python-werkzeug@3.1.3-2?distro=trixie
purl pkg:deb/debian/python-werkzeug@3.1.3-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@3.1.3-2%3Fdistro=trixie
4
url pkg:deb/debian/python-werkzeug@3.1.8-1?distro=trixie
purl pkg:deb/debian/python-werkzeug@3.1.8-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@3.1.8-1%3Fdistro=trixie
aliases CVE-2024-49767, GHSA-q34m-jh98-gwm2
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u44p-7huz-zfe8
6
url VCID-yyyc-zv8z-p3ed
vulnerability_id VCID-yyyc-zv8z-p3ed
summary 
Werkzeug safe_join() allows Windows special device names
Werkzeug's `safe_join` function allows path segments with Windows device names. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66221.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66221.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-66221
reference_id
reference_type
scores
0
value 0.00032
scoring_system epss
scoring_elements 0.097
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-66221
2
reference_url https://github.com/pallets/werkzeug
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pallets/werkzeug
3
reference_url https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-01T15:35:05Z/
url https://github.com/pallets/werkzeug/commit/4b833376a45c323a189cd11d2362bcffdb1c0c13
4
reference_url https://github.com/pallets/werkzeug/releases/tag/3.1.4
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-01T15:35:05Z/
url https://github.com/pallets/werkzeug/releases/tag/3.1.4
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2417789
reference_id 2417789
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2417789
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-66221
reference_id CVE-2025-66221
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-66221
7
reference_url https://github.com/advisories/GHSA-hgf8-39gv-g3f2
reference_id GHSA-hgf8-39gv-g3f2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hgf8-39gv-g3f2
8
reference_url https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2
reference_id GHSA-hgf8-39gv-g3f2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-01T15:35:05Z/
url https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2
fixed_packages
0
url pkg:deb/debian/python-werkzeug@0?distro=trixie
purl pkg:deb/debian/python-werkzeug@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@0%3Fdistro=trixie
1
url pkg:deb/debian/python-werkzeug@1.0.1%2Bdfsg1-2%2Bdeb11u1?distro=trixie
purl pkg:deb/debian/python-werkzeug@1.0.1%2Bdfsg1-2%2Bdeb11u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@1.0.1%252Bdfsg1-2%252Bdeb11u1%3Fdistro=trixie
2
url pkg:deb/debian/python-werkzeug@2.2.2-3%2Bdeb12u1?distro=trixie
purl pkg:deb/debian/python-werkzeug@2.2.2-3%2Bdeb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@2.2.2-3%252Bdeb12u1%3Fdistro=trixie
3
url pkg:deb/debian/python-werkzeug@3.1.3-2?distro=trixie
purl pkg:deb/debian/python-werkzeug@3.1.3-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@3.1.3-2%3Fdistro=trixie
4
url pkg:deb/debian/python-werkzeug@3.1.8-1?distro=trixie
purl pkg:deb/debian/python-werkzeug@3.1.8-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@3.1.8-1%3Fdistro=trixie
aliases CVE-2025-66221, GHSA-hgf8-39gv-g3f2
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yyyc-zv8z-p3ed
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:deb/debian/python-werkzeug@0%3Fdistro=trixie