Path Traversal Vulnerability in Werkzeug Web Application Library
CVE-2026-21860

6.3MEDIUM

Key Information:

Vendor: Pallets
Status: Werkzeug
Vendor: CVE Published:; 8 January 2026

What is CVE-2026-21860?

The Werkzeug library, a popular WSGI web application toolkit, has a vulnerability in its safe_join function that can be exploited to access restricted directories. Prior to version 3.1.5, this function incorrectly handled Windows device names, allowing them to be included in path segments even with file extensions or trailing spaces. Special device names like CON and AUX can be exploited, leading to potential unauthorized file access. Users are advised to upgrade to the patched version 3.1.5 to mitigate risks associated with this vulnerability.

Affected Version(s)

werkzeug < 3.1.5

References

https://github.com/pallets/werkzeug/security/advisories/G...

x_refsource_CONFIRM

https://github.com/pallets/werkzeug/commit/7ae1d254e04a0c...

x_refsource_MISC

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 8, 2026
Vulnerability Reserved
Jan 5, 2026

JSON

Pallets

What is CVE-2026-21860?

Affected Version(s)

References

CVSS V4

Timeline