CVE-2026-27199Improper Handling of Windows Device Names in Werkzeug

CWE-67Improper Handling of Windows Device Names7 documents7 sources
Severity
6.3MEDIUMNVD
EPSS
0.0%
top 94.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pallets WerkzeugPalletsprojects Werkzeug
Timeline
PublishedFeb 21

Description

Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that safe_join accepts paths with multiple segments, such as example/NUL. The function send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5pallets/werkzeug< 3.1.6

Patches

Patch: github.com

🔴Vulnerability Details

3
CVEList
Werkzeug safe_join() allows Windows special device names2026-02-21
GHSA
Werkzeug safe_join() allows Windows special device names2026-02-19
OSV
Werkzeug safe_join() allows Windows special device names2026-02-19

📋Vendor Advisories

2
Microsoft
Werkzeug safe_join() allows Windows special device names2026-02-10
Debian
CVE-2026-27199: python-werkzeug - Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and bel...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-27199 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-27199 — Pallets Werkzeug vulnerability | cvebase