Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:pypi/werkzeug@3.1.6
purl pkg:pypi/werkzeug@3.1.6
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-jxz2-8tqb-mbeg Werkzeug safe_join() allows Windows special device names Werkzeug's `safe_join` function allows Windows device names as filenames if when preceded by other path segments. This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that `safe_join` accepts paths with multiple segments, such as `example/NUL`. `send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. CVE-2026-27199
GHSA-29vq-49wr-vm6x

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T16:08:02.524039+00:00 GHSA Importer Fixing VCID-jxz2-8tqb-mbeg https://github.com/advisories/GHSA-29vq-49wr-vm6x 38.0.0
2026-04-01T12:53:55.507120+00:00 GitLab Importer Fixing VCID-jxz2-8tqb-mbeg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Werkzeug/CVE-2026-27199.yml 38.0.0
2026-04-01T12:52:41.220388+00:00 GithubOSV Importer Fixing VCID-jxz2-8tqb-mbeg https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-29vq-49wr-vm6x/GHSA-29vq-49wr-vm6x.json 38.0.0