Vulnerability Description
Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that safe_join accepts paths with multiple segments, such as example/NUL. The function send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. This issue has been fixed in version 3.1.6.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Palletsprojects | Werkzeug | < 3.1.6 |
Related Weaknesses (CWE)
References
- https://github.com/pallets/werkzeug/commit/f407712fdc60a09c2b3f4fe7db557703e5d93Patch
- https://github.com/pallets/werkzeug/releases/tag/3.1.6Release Notes
- https://github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6xVendor Advisory
FAQ
What is CVE-2026-27199?
CVE-2026-27199 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as filenames if preceded by other path segments. This was previou...
How severe is CVE-2026-27199?
CVE-2026-27199 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27199?
Check the references section above for vendor advisories and patch information. Affected products include: Palletsprojects Werkzeug.