Skip to main content

Werkzeug CVE-2019-14322

HIGH
Path Traversal (CWE-22)
2019-07-28 cve@mitre.org
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 28, 2019 - 13:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 18 pypi packages depend on werkzeug (17 direct, 1 indirect)

Ecosystem-wide dependent count for version 0.15.5.

DescriptionNVD

In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.

AnalysisAI

In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. Affected products include: Palletsprojects Werkzeug. Version information: before 0.15.5.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2024-34069 HIGH POC
7.5 May 06

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2020-28724 MEDIUM POC
6.1 Nov 18

Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL. Rated medium severity (CVSS 6.1), t

CVE-2022-29361 CRITICAL
9.8 May 25

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smugglin

CVE-2023-46136 HIGH
8.0 Oct 25

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 8.0), this vulnerability is low atta

CVE-2023-25577 HIGH
7.5 Feb 14

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2019-14806 HIGH
7.5 Aug 09

Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker container

CVE-2025-66221 MEDIUM
6.3 Nov 29

Werkzeug is a comprehensive WSGI web application library. Rated medium severity (CVSS 6.3), this vulnerability is remote

CVE-2024-49766 MEDIUM
6.3 Oct 25

Werkzeug is a Web Server Gateway Interface web application library. Rated medium severity (CVSS 6.3), this vulnerability

CVE-2016-10516 MEDIUM
6.1 Oct 23

Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werk

CVE-2026-27199 MEDIUM
5.3 Feb 21

Werkzeug versions 3.1.5 and below on Windows fail to properly filter reserved device names in the safe_join function whe

CVE-2026-21860 MEDIUM
5.3 Jan 08

Werkzeug versions prior to 3.1.5 fail to properly validate Windows reserved device names in the safe_join function, allo

CVE-2023-23934 LOW
3.5 Feb 14

Werkzeug is a comprehensive WSGI web application library. Rated low severity (CVSS 3.5), this vulnerability is no authen

Share

CVE-2019-14322 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy