Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Werkzeug WSGI Improper Handling of Windows Device Names Vulnerability - CVE-2026-21860 - Vulnerability Database
Werkzeug WSGI

Werkzeug WSGI Improper Handling of Windows Device Names Vulnerability - CVE-2026-21860

Medium
Reference: CVE-2026-21860
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-21860
Title: Werkzeug WSGI Improper Handling of Windows Device Names Vulnerability
Overview:

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5 Werkzeug39s safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows there are special device names such as CON AUX etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension such as CON.txt or trailing spaces such as CON. This issue has been patched in version 3.1.5.