Skip to main content

Werkzeug

13 CVEs product

Monthly

CVE-2026-27199 PyPI MEDIUM PATCH This Month

Werkzeug versions 3.1.5 and below on Windows fail to properly filter reserved device names in the safe_join function when paths contain multiple segments, allowing attackers to craft requests that trigger indefinite hangs by targeting special device names like NUL. Remote attackers can exploit this denial-of-service vulnerability against applications using send_from_directory to serve user-specified files. A patch is available in version 3.1.6.

Windows Werkzeug Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-21860 PyPI MEDIUM PATCH This Month

Werkzeug versions prior to 3.1.5 fail to properly validate Windows reserved device names in the safe_join function, allowing attackers to bypass path restrictions by using device names with file extensions or trailing spaces (e.g., CON.txt, AUX ). This denial of service vulnerability affects Windows systems running vulnerable Werkzeug versions and could allow an unauthenticated remote attacker to access restricted files or cause application crashes. A patch is available in version 3.1.5 and later.

Windows Werkzeug Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-66221 PyPI MEDIUM PATCH This Month

Werkzeug is a comprehensive WSGI web application library. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Microsoft Werkzeug Windows Red Hat +1
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2024-49766 PyPI MEDIUM PATCH This Month

Werkzeug is a Web Server Gateway Interface web application library. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Python Microsoft Werkzeug
NVD GitHub
CVSS 4.0
6.3
EPSS
0.8%
CVE-2024-34069 PyPI HIGH POC PATCH Act Now

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Werkzeug Debian Linux Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
3.4%
CVE-2023-46136 PyPI HIGH PATCH This Week

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Werkzeug
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.6%
CVE-2023-25577 PyPI HIGH PATCH This Week

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Python Denial Of Service Werkzeug
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2023-23934 PyPI LOW PATCH Monitor

Werkzeug is a comprehensive WSGI web application library. Rated low severity (CVSS 3.5), this vulnerability is no authentication required, low attack complexity.

Information Disclosure Werkzeug
NVD GitHub
CVSS 3.1
3.5
EPSS
0.5%
CVE-2022-29361 PyPI CRITICAL PATCH Act Now

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Werkzeug
NVD GitHub
CVSS 3.1
9.8
EPSS
7.7%
CVE-2020-28724 PyPI MEDIUM POC PATCH This Month

Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Open Redirect Werkzeug
NVD GitHub
CVSS 3.1
6.1
EPSS
1.7%
CVE-2019-14806 PyPI HIGH PATCH This Week

Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Docker Information Disclosure Werkzeug Leap
NVD GitHub
CVSS 3.1
7.5
EPSS
2.3%
CVE-2019-14322 PyPI HIGH POC PATCH THREAT This Week

In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Microsoft Werkzeug
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
55.5%
CVE-2016-10516 PyPI MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Python Werkzeug
NVD GitHub
CVSS 3.0
6.1
EPSS
0.4%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Werkzeug versions 3.1.5 and below on Windows fail to properly filter reserved device names in the safe_join function when paths contain multiple segments, allowing attackers to craft requests that trigger indefinite hangs by targeting special device names like NUL. Remote attackers can exploit this denial-of-service vulnerability against applications using send_from_directory to serve user-specified files. A patch is available in version 3.1.6.

Windows Werkzeug Suse
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Werkzeug versions prior to 3.1.5 fail to properly validate Windows reserved device names in the safe_join function, allowing attackers to bypass path restrictions by using device names with file extensions or trailing spaces (e.g., CON.txt, AUX ). This denial of service vulnerability affects Windows systems running vulnerable Werkzeug versions and could allow an unauthenticated remote attacker to access restricted files or cause application crashes. A patch is available in version 3.1.5 and later.

Windows Werkzeug Suse
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Werkzeug is a comprehensive WSGI web application library. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Microsoft Werkzeug +3
NVD GitHub
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

Werkzeug is a Web Server Gateway Interface web application library. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Python Microsoft +1
NVD GitHub
EPSS 3% CVSS 7.5
HIGH POC PATCH Act Now

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Werkzeug Debian Linux +1
NVD GitHub
EPSS 1% CVSS 8.0
HIGH PATCH This Week

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Werkzeug
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Werkzeug is a comprehensive WSGI web application library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Python Denial Of Service Werkzeug
NVD GitHub
EPSS 1% CVSS 3.5
LOW PATCH Monitor

Werkzeug is a comprehensive WSGI web application library. Rated low severity (CVSS 3.5), this vulnerability is no authentication required, low attack complexity.

Information Disclosure Werkzeug
NVD GitHub
EPSS 8% CVSS 9.8
CRITICAL PATCH Act Now

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Information Disclosure Request Smuggling Werkzeug
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM POC PATCH This Month

Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Open Redirect Werkzeug
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Docker Information Disclosure Werkzeug +1
NVD GitHub
EPSS 56% CVSS 7.5
HIGH POC PATCH THREAT This Week

In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Microsoft Werkzeug
NVD Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Python Werkzeug
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy