CVE-2026-21860 MEDIUM

CVE-2026-21860: Werkzeug safe_join() allows Windows special device names with compound extensions

Vendor Pallets
Product werkzeug
Weakness CWE-67
Published January 8, 2026
Last update January 8, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON. This issue has been patched in version 3.1.5.

Key dates

02Disclosure timeline

January 8, 2026 CVE published
January 8, 2026 Record updated