CVE-2026-21860: Werkzeug safe_join() allows Windows special device names with compound extensions

Published Jan 8, 2026
·
Updated

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON. This issue has been patched in version 3.1.5.

Affected Software

5 affected componentsFixes available
pypi/werkzeug<3.1.5
pip/Werkzeug<3.1.5
3.1.5
All of the following
palletsprojects Werkzeug<3.1.5
Microsoft Windows
IBM watsonx.data intelligence<=5.2.0, 5.2.1, 5.3.0, 5.3.1

Remediation

Patch Available

https://github.com/pallets/werkzeug/commit/7ae1d254e04a0c33e241ac1cca4783ce6c875ca3

Event History

Jan 8, 2026
CVE Published
via MITRE·06:34 PM
Data Sourced
via MITRE·06:34 PM
DescriptionWeakness
Data Sourced
via NVD·07:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·07:15 PM
RemedyAffected Software
Advisory Published
via GitHub·07:51 PM
Data Sourced
via GitHub·07:51 PM
DescriptionWeaknessAffected Software
Apr 27, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-21860?

CVE-2026-21860 has been classified as a high severity vulnerability due to the risk of directory traversal attacks.

2

How do I fix CVE-2026-21860?

To mitigate CVE-2026-21860, upgrade Werkzeug to version 3.1.5 or later.

3

What does CVE-2026-21860 affect?

CVE-2026-21860 affects versions of Werkzeug prior to 3.1.5.

4

What is the nature of the vulnerability in CVE-2026-21860?

CVE-2026-21860 allows unsafe path segment handling with Windows device names, which can lead to security vulnerabilities.

5

Is CVE-2026-21860 specific to any operating system?

Yes, CVE-2026-21860 is specifically a concern for applications running on Windows.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203