Python/werkzeug/3.1.4
The comprehensive WSGI web application library.
https://pypi.org/project/werkzeug
UNKNOWN
1 Security Vulnerabilities
Werkzeug safe_join() allows Windows special device names
Published date: 2026-02-19T20:32:45Z
CVE: CVE-2026-27199
Links:
- https://github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6x
- https://github.com/pallets/werkzeug/commit/f407712fdc60a09c2b3f4fe7db557703e5d9338d
- https://github.com/pallets/werkzeug/releases/tag/3.1.6
- https://github.com/advisories/GHSA-29vq-49wr-vm6x
- https://nvd.nist.gov/vuln/detail/CVE-2026-27199
Werkzeug's safe_join function allows Windows device names as filenames if when preceded by other path segments.
This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that safe_join accepts paths with multiple segments, such as example/NUL.
send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.
Affected versions: ["3.1.5", "3.1.4", "3.1.3", "3.1.2", "3.1.1", "3.1.0", "3.0.6", "3.0.5", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "2.3.8", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.3.1", "2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.2.0a1", "2.1.2", "2.1.1", "2.1.0", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "2.0.0rc5", "2.0.0rc4", "2.0.0rc3", "2.0.0rc2", "2.0.0rc1", "1.0.1", "1.0.0", "1.0.0rc1", "0.16.1", "0.16.0", "0.15.6", "0.15.5", "0.15.4", "0.15.3", "0.15.2", "0.15.1", "0.15.0", "0.14.1", "0.14", "0.13", "0.12.2", "0.12.1", "0.12", "0.11.15", "0.11.14", "0.11.13", "0.11.12", "0.11.11", "0.11.10", "0.11.9", "0.11.8", "0.11.7", "0.11.6", "0.11.5", "0.11.4", "0.11.3", "0.11.2", "0.11.1", "0.11", "0.10.4", "0.10.3", "0.10.2", "0.10.1", "0.10", "0.9.6", "0.9.5", "0.9.4", "0.9.3", "0.9.2", "0.9.1", "0.9", "0.8.3", "0.8.2", "0.8.1", "0.8", "0.7.2", "0.7.1", "0.7", "0.6.2", "0.6.1", "0.6", "0.5.1", "0.5", "0.4.1", "0.4", "0.3.1", "0.3", "0.2", "0.1"]
Secure versions: [3.1.6, 3.1.7, 3.1.8]
Recommendation: Update to version 3.1.8.
106 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 0.15.3 | BSD-3-Clause AND BSD | 5 | 2019-05-14 - 21:10 | almost 7 years |
| 0.15.2 | BSD-3-Clause AND BSD | 6 | 2019-04-02 - 17:26 | about 7 years |
| 0.15.1 | BSD-3-Clause AND BSD | 6 | 2019-03-21 - 17:01 | about 7 years |
| 0.15.0 | BSD-3-Clause AND BSD | 6 | 2019-03-19 - 17:24 | about 7 years |
| 0.14.1 | BSD | 6 | 2017-12-31 - 21:16 | over 8 years |
| 0.14 | BSD | 6 | 2017-12-31 - 13:32 | over 8 years |
| 0.13 | BSD | 6 | 2017-12-07 - 17:33 | over 8 years |
| 0.12.2 | BSD | 6 | 2017-05-16 - 06:37 | almost 9 years |
| 0.12.1 | BSD | 6 | 2017-03-15 - 17:08 | about 9 years |
| 0.12 | BSD | 6 | 2017-03-10 - 11:22 | about 9 years |
| 0.11.15 | BSD | 6 | 2016-12-30 - 22:49 | over 9 years |
| 0.11.14 | BSD | 6 | 2016-12-30 - 22:13 | over 9 years |
| 0.11.13 | BSD | 6 | 2016-12-26 - 18:56 | over 9 years |
| 0.11.12 | BSD | 6 | 2016-12-26 - 14:10 | over 9 years |
| 0.11.11 | BSD | 6 | 2016-08-31 - 13:13 | over 9 years |
| 0.11.10 | BSD | 6 | 2016-05-24 - 09:24 | almost 10 years |
| 0.11.9 | BSD | 6 | 2016-04-24 - 18:31 | about 10 years |
| 0.11.8 | BSD | 6 | 2016-04-15 - 13:00 | about 10 years |
| 0.11.7 | BSD | 6 | 2016-04-14 - 17:38 | about 10 years |
| 0.11.6 | BSD | 6 | 2016-04-14 - 13:48 | about 10 years |
| 0.11.5 | BSD | 7 | 2016-03-22 - 19:39 | about 10 years |
| 0.11.4 | BSD | 7 | 2016-02-14 - 17:54 | about 10 years |
| 0.11.3 | BSD | 7 | 2015-12-19 - 23:13 | over 10 years |
| 0.11.2 | BSD | 7 | 2015-11-12 - 09:23 | over 10 years |
| 0.11.1 | BSD | 7 | 2015-11-10 - 11:48 | over 10 years |
| 0.11 | BSD | 7 | 2015-11-08 - 14:55 | over 10 years |
| 0.10.4 | BSD | 7 | 2015-03-26 - 15:50 | about 11 years |
| 0.10.3 | BSD | 7 | 1970-01-01 - 00:00 | over 56 years |
| 0.10.2 | BSD | 7 | 2015-03-26 - 12:40 | about 11 years |
| 0.10.1 | BSD | 7 | 2015-02-03 - 22:00 | about 11 years |
| 0.10 | BSD | 7 | 2015-01-29 - 23:03 | over 11 years |
| 0.9.6 | BSD | 7 | 2014-06-07 - 10:34 | almost 12 years |
| 0.9.5 | BSD | 7 | 2014-06-06 - 19:18 | almost 12 years |
| 0.9.4 | BSD | 7 | 2013-08-25 - 23:20 | over 12 years |
| 0.9.3 | BSD | 7 | 2013-07-25 - 15:00 | almost 13 years |
| 0.9.2 | BSD | 7 | 2013-07-18 - 15:06 | almost 13 years |
| 0.9.1 | BSD | 7 | 2013-06-14 - 08:51 | almost 13 years |
| 0.9 | BSD | 7 | 2013-06-13 - 08:27 | almost 13 years |
| 0.8.3 | BSD | 7 | 2012-02-05 - 11:10 | about 14 years |
| 0.8.2 | BSD | 7 | 2011-12-16 - 15:53 | over 14 years |
| 0.8.1 | BSD | 7 | 2011-09-30 - 12:50 | over 14 years |
| 0.8 | BSD | 7 | 2011-09-29 - 23:55 | over 14 years |
| 0.7.2 | BSD | 7 | 2011-09-30 - 12:48 | over 14 years |
| 0.7.1 | BSD | 7 | 2011-07-26 - 12:25 | almost 15 years |
| 0.7 | BSD | 7 | 2011-07-24 - 17:46 | almost 15 years |
| 0.6.2 | BSD | 7 | 2010-04-23 - 18:05 | about 16 years |
| 0.6.1 | BSD | 7 | 2010-04-13 - 00:16 | about 16 years |
| 0.6 | BSD | 7 | 2010-02-19 - 00:06 | about 16 years |
| 0.5.1 | BSD | 7 | 2009-07-09 - 22:15 | almost 17 years |
| 0.5 | BSD | 7 | 2009-04-25 - 00:16 | about 17 years |