WSGI Web Application Library Vulnerability in Werkzeug by Pallets
CVE-2026-27199

6.3MEDIUM

Key Information:

Vendor

Pallets

Status
Werkzeug
Vendor
CVE Published:
21 February 2026

What is CVE-2026-27199?

A vulnerability exists in the Werkzeug web application library, specifically in versions 3.1.5 and earlier, where the safe_join function improperly allows Windows device names as filenames if they are preceded by other segments. This issue permits the opening of files that could lead to an indefinite hang during reading processes, particularly when the application attempts to serve files under specific conditions on a Windows environment. This vulnerability has been addressed in version 3.1.6 of Werkzeug, which rectifies the filtering process associated with path segments.

Affected Version(s)

werkzeug < 3.1.6

References

https://github.com/pallets/werkzeug/security/advisories/G...
x_refsource_CONFIRM
https://github.com/pallets/werkzeug/commit/f407712fdc60a0...
x_refsource_MISC
https://github.com/pallets/werkzeug/releases/tag/3.1.6
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.