CVE-2026-27199

Name of the Vulnerable Software and Affected Versions Werkzeug versions 3.1.5 and below

Description The safe join function in Werkzeug, a WSGI web application library, improperly handles Windows device names when used as filenames, particularly when preceded by other path segments. Specifically, the function allows Windows device names as filenames, potentially leading to indefinite hanging when reading files if the application is running on Windows and the requested path ends with a special device name. The send from directory function utilizes safe join to serve files, making it susceptible to this issue.

Recommendations Update to Werkzeug version 3.1.6 or later.