6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-21860

CVE-2026-21860: Werkzeug safe_join() allows Windows special device names with compound extensions

Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON .

This was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the fix failed to account for compound extensions such as CON.txt.html or trailing spaces. It also missed some additional special names.

send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-21860

CVE-2026-21860:

6.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Werkzeug	pip	< 3.1.5	3.1.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the safe_join function in werkzeug.security. The provided patch 7ae1d254e04a0c33e241ac1cca4783ce6c875ca3 clearly shows the fix. The original code used os.path.splitext(filename)[0] to extract the base name of the file before checking it against a list of Windows special device names. This was flawed because splitext only removes the final extension. A filename like CON.txt.html would be processed as CON.txt, which was not in the list of special names, thus bypassing the check. The patch corrects this by using filename.partition('.')[0].strip(), which correctly isolates the base name (CON) before the first dot and removes any trailing spaces, effectively closing the loophole. The vulnerability could be triggered by any function that uses safe_join to construct a file path from user input, such as send_from_directory, leading to a denial-of-service attack on Windows-based systems.

Vulnerable functions

safe_join

src/werkzeug/security.py

The `safe_join` function used `os.path.splitext` to check for Windows special device names. This was insufficient as it did not handle filenames with multiple extensions (e.g., `CON.txt.html`) or trailing spaces, allowing an attacker to cause a denial of service by requesting a specially named file, which would cause the application to hang indefinitely when trying to read it.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-21860: Werkzeug safe_join() allows Windows special device names with compound extensions

CVE-2026-21860:

6.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.3

6.3

Technical Details

Basic Information

Basic Information

CVE-2026-21860: Werkzeug safe_join() allows Windows special device names with compound extensions

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI