Security Bulletin: Vulnerability affect underscore-umd-min, werkzeug-3.1.5, flask-3.1.1, cryptography, aircompressor, pyasn1, http, log4j, apache2-build, commons-configuration, bcpkix-jdk18on, server-MariaDB, Jline, IBM COS Systems (April 2026)

Summary Vulnerability with underscore-umd-min CVE-2026-27601, werkzeug-3.1.5 CVE-2026-27199, flask-3.1.1-py3-nCVE-2026-27205, cryptographyCVE-2026-26007, aircompressorCVE-2025-67721, pyasn1CVE-2026-23490, http, log4jCVE-2025-68161, apache2-buildCVE-2025-55753, commons-configurationCVE-2024-29131,...

Security Bulletin:Werkzeug safe_join function allows path segments with Windows device names containing file extensions or trailing spaces

Summary Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safejoin function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly...

Astra Linux - уязвимость в python-werkzeug

Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug’s multipart form data parser would parse an unlimited number of parts, including file parts. These parts could be small amounts of data, but each part requires CPU time to parse, and may consume more memory...

Security Bulletin: IBM Maximo Application Suite uses python-ldap-3.4.4.tar.gz, werkzeug-3.1.4-py3-none-any.whl and werkzeug-3.1.3-py3-none-any.whl which is vulnerable to CVE-2025-61911, CVE-2025-61912, CVE-2026-27199 and CVE-2026-21860.

Summary IBM Maximo Application Suite uses python-ldap-3.4.4.tar.gz, werkzeug-3.1.4-py3-none-any.whl and werkzeug-3.1.3-py3-none-any.whl which is vulnerable to CVE-2025-61911, CVE-2025-61912, CVE-2026-27199 and CVE-2026-21860. This bulletin contains information regarding the vulnerability and its...

Path Traversal

Werkzeug is vulnerable to Path Traversal. The vulnerability is due to the safejoin function allowing Windows special device names as filenames if preceded by other path segments, where the function sendfromdirectory uses safejoin to safely serve files at user-specified paths under a directory and...

Security Bulletin: Vulnerability assertj-core, spring-security-crypto, werkzeug, urllib, libsodium, jersey-client, log4j, dmidecode-dmidecode, and aide affect IBM Cloud Object Storage Systems (FEB 2026)

Summary Vulnerability with assertj-core-3.27.3 CVE-2026-24400 , spring-security-crypto-6.4.4 CVE-2025-22234 , werkzeug-3.1.3-py3 CVE-2026-21860,CVE-2025-66221 , urllib3-2.5.0-py3CVE-2025-66418,CVE-2025-66471, CVE-2026-21441 , libsodiumCVE-2025-69277 jersey-client-2.25.1CVE-2025-12383 ,...

SUSE CVE-2026-27199

Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safejoin function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that...

Exploit for CVE-2026-27199

CVE-2026-27199 PoC: Werkzeug safejoin Windows Device-Name...

PT-2026-21351

Name of the Vulnerable Software and Affected Versions Werkzeug versions 3.1.5 and below Description The safe join function in Werkzeug, a WSGI web application library, improperly handles Windows device names when used as filenames, particularly when preceded by other path segments. Specifically,...

SUSE CVE-2026-21860

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safejoin function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present...

Linux Distros Unpatched Vulnerability : CVE-2026-21860

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safejoin function allows path segments with Windows device names th...

abilian-sbe (>=1.1.0 <=1.1.12), acfx (>=0.3.1 <=0.3.7.dev1) +687 more potentially affected by CVE-2025-66221 +1 more via werkzeug (>=3.0.0 <=3.1.4)

werkzeug PYPI version =3.0.0, =1.1.0, =0.3.1, =4.11.0, =1.0.0, =0.1.3, =0.2.4.1, =0.0.1, =1.3.0, =0.1.0, =0.1.1, =0.5.7, =0.1.0, =0.1.0, =1.0.0, =1.1.0a20250428 and more Source cves: CVE-2025-66221, CVE-2026-21860 Source advisory: SNYK:PYTHON-WERKZEUG-14908843...

CVE-2026-21860 Werkzeug safe_join() allows Windows special device names with compound extensions

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safejoin function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present...

CVE-2026-21860 Werkzeug safe_join() allows Windows special device names with compound extensions

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safejoin function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present...

CVE-2025-66221

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safejoin function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory...

CVE-2025-66221

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safejoin function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory...

CVE-2025-66221

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safejoin function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory...

EUVD-2020-0241

Malware in sbrugna...

OESA-2025-2060 python-werkzeug security update

A comprehensive WSGI web application library Security Fixes: Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the...

OESA-2025-1999 python-werkzeug security update

A comprehensive WSGI web application library Security Fixes: Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal...