CVE-2026-21860

Name of the Vulnerable Software and Affected Versions Werkzeug versions prior to 3.1.5

Description Werkzeug’s safe join function improperly handles path segments containing Windows device names with file extensions or trailing spaces. Windows device names, such as CON and AUX, are implicitly present and readable in every directory and are accepted with file extensions (e.g., CON.txt) or trailing spaces (e.g., CON ). This can lead to unauthorized access or manipulation of system resources.

Recommendations Update Werkzeug to version 3.1.5 or later.