Python/werkzeug/3.1.4
The comprehensive WSGI web application library.
https://pypi.org/project/werkzeug
UNKNOWN
1 Security Vulnerabilities
Werkzeug safe_join() allows Windows special device names
Published date: 2026-02-19T20:32:45Z
CVE: CVE-2026-27199
Links:
- https://github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6x
- https://github.com/pallets/werkzeug/commit/f407712fdc60a09c2b3f4fe7db557703e5d9338d
- https://github.com/pallets/werkzeug/releases/tag/3.1.6
- https://github.com/advisories/GHSA-29vq-49wr-vm6x
- https://nvd.nist.gov/vuln/detail/CVE-2026-27199
Werkzeug's safe_join function allows Windows device names as filenames if when preceded by other path segments.
This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that safe_join accepts paths with multiple segments, such as example/NUL.
send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.
Affected versions: ["3.1.5", "3.1.4", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.2.0a1", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc5", "2.0.0rc4", "2.0.0rc3", "2.0.0rc2", "2.0.0rc1", "1.0.1", "1.0.0", "1.0.0rc1", "0.16.1", "0.16.0", "0.15.6", "0.15.5", "0.15.4", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.1", "0.14", "0.13", "0.12.2", "0.12.1", "0.12", "0.11.15", "0.11.14", "0.11.13", "0.11.12", "0.11.11", "0.11.10", "0.11.9", "0.11.8", "0.11.7", "0.11.6", "0.11.5", "0.11.4", "0.11.3", "0.11.2", "0.11.1", "0.11", "0.10.4", "0.10.3", "0.10.2", "0.10.1", "0.10", "0.9.6", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9", "0.8.3", "0.8.2", "0.8.1", "0.8", "0.7.2", "0.7.1", "0.7", "0.6.2", "0.6.1", "0.6", "0.5.1", "0.5", "0.4.1", "0.4", "0.3.1", "0.3", "0.2", "0.1"]
Secure versions: [3.1.6, 3.1.7, 3.1.8]
Recommendation: Update to version 3.1.8.
106 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 3.1.8 | UNKNOWN | |||
| 3.1.7 | UNKNOWN | |||
| 3.1.6 | UNKNOWN | |||
| 3.1.5 | UNKNOWN | 1 | ||
| 3.1.4 | UNKNOWN | 1 | ||
| 3.1.3 | BSD | 2 | 1970-01-01 - 00:00 | over 56 years |
| 3.1.2 | BSD | 2 | 1970-01-01 - 00:00 | over 56 years |
| 3.1.1 | BSD | 2 | 1970-01-01 - 00:00 | over 56 years |
| 3.1.0 | BSD | 2 | 1970-01-01 - 00:00 | over 56 years |
| 3.0.6 | BSD | 2 | 1970-01-01 - 00:00 | over 56 years |
| 3.0.5 | BSD | 3 | 1970-01-01 - 00:00 | over 56 years |
| 3.0.4 | BSD | 3 | 1970-01-01 - 00:00 | over 56 years |
| 3.0.3 | BSD | 3 | 1970-01-01 - 00:00 | over 56 years |
| 3.0.2 | BSD | 3 | 1970-01-01 - 00:00 | over 56 years |
| 3.0.1 | BSD | 3 | 1970-01-01 - 00:00 | over 56 years |
| 3.0.0 | BSD | 4 | 1970-01-01 - 00:00 | over 56 years |
| 2.3.8 | BSD | 3 | 1970-01-01 - 00:00 | over 56 years |
| 2.3.7 | BSD | 4 | 1970-01-01 - 00:00 | over 56 years |
| 2.3.6 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 56 years |
| 2.3.5 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 56 years |
| 2.3.4 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 56 years |
| 2.3.3 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 56 years |
| 2.3.2 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 56 years |
| 2.3.1 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 56 years |
| 2.3.0 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 56 years |
| 2.2.3 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 56 years |
| 2.2.2 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 56 years |
| 2.2.1 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 56 years |
| 2.2.0 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 56 years |
| 2.2.0a1 | BSD-3-Clause AND BSD | 4 | 1970-01-01 - 00:00 | over 56 years |
| 2.1.2 | BSD-3-Clause AND BSD | 4 | 2022-04-28 - 17:39 | about 4 years |
| 2.1.1 | BSD-3-Clause AND BSD | 4 | 2022-04-01 - 16:01 | about 4 years |
| 2.1.0 | BSD-3-Clause AND BSD | 4 | 2022-03-28 - 17:55 | about 4 years |
| 2.0.3 | BSD-3-Clause AND BSD | 4 | 2022-02-07 - 21:04 | about 4 years |
| 2.0.2 | BSD-3-Clause AND BSD | 4 | 2021-10-06 - 00:27 | over 4 years |
| 2.0.1 | BSD-3-Clause AND BSD | 4 | 2021-05-17 - 23:16 | almost 5 years |
| 2.0.0 | BSD-3-Clause AND BSD | 4 | 2021-05-11 - 20:26 | almost 5 years |
| 2.0.0rc5 | BSD-3-Clause AND BSD | 4 | 2021-05-03 - 14:16 | almost 5 years |
| 2.0.0rc4 | BSD-3-Clause AND BSD | 4 | 2021-04-16 - 15:35 | about 5 years |
| 2.0.0rc3 | BSD-3-Clause AND BSD | 4 | 2021-03-17 - 20:42 | about 5 years |
| 2.0.0rc2 | BSD-3-Clause AND BSD | 4 | 2021-03-03 - 20:45 | about 5 years |
| 2.0.0rc1 | BSD-3-Clause AND BSD | 4 | 2021-02-08 - 15:20 | about 5 years |
| 1.0.1 | BSD-3-Clause AND BSD | 4 | 2020-03-31 - 18:03 | about 6 years |
| 1.0.0 | BSD-3-Clause AND BSD | 4 | 2020-02-06 - 20:25 | about 6 years |
| 1.0.0rc1 | BSD-3-Clause AND BSD | 4 | 2020-01-31 - 16:58 | about 6 years |
| 0.16.1 | BSD-3-Clause AND BSD | 4 | 2020-01-27 - 04:13 | over 6 years |
| 0.16.0 | BSD-3-Clause AND BSD | 4 | 2019-09-19 - 14:39 | over 6 years |
| 0.15.6 | BSD-3-Clause AND BSD | 4 | 2019-09-04 - 20:09 | over 6 years |
| 0.15.5 | BSD-3-Clause AND BSD | 4 | 2019-07-17 - 15:31 | almost 7 years |
| 0.15.4 | BSD-3-Clause AND BSD | 5 | 2019-05-15 - 01:49 | almost 7 years |