Skip to main content

CWE-67

Improper Handling of Windows Device Names

5 CVEs Avg CVSS 4.9 MITRE
0
CRITICAL
0
HIGH
4
MEDIUM
1
LOW
0
POC
0
KEV

Monthly

CVE-2026-27199 PyPI MEDIUM PATCH This Month

Werkzeug versions 3.1.5 and below on Windows fail to properly filter reserved device names in the safe_join function when paths contain multiple segments, allowing attackers to craft requests that trigger indefinite hangs by targeting special device names like NUL. Remote attackers can exploit this denial-of-service vulnerability against applications using send_from_directory to serve user-specified files. A patch is available in version 3.1.6.

Windows Werkzeug Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-21860 PyPI MEDIUM PATCH This Month

Werkzeug versions prior to 3.1.5 fail to properly validate Windows reserved device names in the safe_join function, allowing attackers to bypass path restrictions by using device names with file extensions or trailing spaces (e.g., CON.txt, AUX ). This denial of service vulnerability affects Windows systems running vulnerable Werkzeug versions and could allow an unauthenticated remote attacker to access restricted files or cause application crashes. A patch is available in version 3.1.5 and later.

Windows Werkzeug Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-66221 PyPI MEDIUM PATCH This Month

Werkzeug is a comprehensive WSGI web application library. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Microsoft Werkzeug Windows Red Hat +1
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2024-51745 Cargo LOW PATCH Monitor

Wasmtime is a fast and secure runtime for WebAssembly. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Microsoft Wasmtime
NVD GitHub
CVSS 4.0
2.3
EPSS
0.8%
CVE-2024-35197 Cargo MEDIUM PATCH This Month

gitoxide is a pure Rust implementation of Git. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Werkzeug versions 3.1.5 and below on Windows fail to properly filter reserved device names in the safe_join function when paths contain multiple segments, allowing attackers to craft requests that trigger indefinite hangs by targeting special device names like NUL. Remote attackers can exploit this denial-of-service vulnerability against applications using send_from_directory to serve user-specified files. A patch is available in version 3.1.6.

Windows Werkzeug Suse
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Werkzeug versions prior to 3.1.5 fail to properly validate Windows reserved device names in the safe_join function, allowing attackers to bypass path restrictions by using device names with file extensions or trailing spaces (e.g., CON.txt, AUX ). This denial of service vulnerability affects Windows systems running vulnerable Werkzeug versions and could allow an unauthenticated remote attacker to access restricted files or cause application crashes. A patch is available in version 3.1.5 and later.

Windows Werkzeug Suse
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Werkzeug is a comprehensive WSGI web application library. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Microsoft Werkzeug +3
NVD GitHub
EPSS 1% CVSS 2.3
LOW PATCH Monitor

Wasmtime is a fast and secure runtime for WebAssembly. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Microsoft Wasmtime
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

gitoxide is a pure Rust implementation of Git. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy