PyPI: werkzeug
CVE-2026-27199
Safety vulnerability ID: SFTY-20260219-94237
Safety legacy ID: pyup.io-86908
Affected versions of the Werkzeug package are vulnerable to Denial of Service (DoS) due to improper handling of Windows special device names in path joining logic. The safe_join() function fails to reject device-name path segments when they are preceded by other segments (for example, example/NUL), and send_from_directory() relies on safe_join() when resolving user-supplied file paths.
Overview
Werkzeug safe_join() allows Windows special device names
Advisory
Affected versions of the Werkzeug package are vulnerable to Denial of Service (DoS) due to improper handling of Windows special device names in path joining logic. The safe_join() function fails to reject device-name path segments when they are preceded by other segments (for example, example/NUL), and send_from_directory() relies on safe_join() when resolving user-supplied file paths.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260219-94237/CVE-2026-27199
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27199
- https://github.com/advisories/GHSA-29vq-49wr-vm6x
- https://github.com/pallets/werkzeug/commit/f407712fdc60a09c2b3f4fe7db557703e5d9338d
- https://github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6x
- https://github.com/pallets/werkzeug/commit/f407712fdc60a09c2b3f4fe7db557703e5d9338d
- https://github.com/pallets/werkzeug/releases/tag/3.1.6
- https://nvd.nist.gov/vuln/detail/CVE-2026-27199
- https://github.com/advisories/GHSA-29vq-49wr-vm6x
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more