Vulnerability in Pallets Werkzeug

CVE-2026-21860

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special devi…

EPSS: 0.000 (10.4th percentile) — read the EPSS interpretation.

Affected products

Pallets Werkzeug — versions < 3.1.5

Weakness classification (CWE)

CWE-67

References

https://github.com/pallets/werkzeug/security/advisories/GHSA-87hc-h4r5-73f7 (x_refsource_CONFIRM)
https://github.com/pallets/werkzeug/commit/7ae1d254e04a0c33e241ac1cca4783ce6c875ca3 (x_refsource_MISC)