Publish GHSA-87hc-h4r5-73f7

Author: advisory-database[bot]

advisories/github-reviewed/2026/01/GHSA-87hc-h4r5-73f7/GHSA-87hc-h4r5-73f7.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-87hc-h4r5-73f7",
-  "modified": "2026-01-08T21:36:59Z",
+  "modified": "2026-02-02T19:57:31Z",
   "published": "2026-01-08T19:51:21Z",
   "aliases": [
     "CVE-2026-21860"
   ],
   "summary": " Werkzeug safe_join() allows Windows special device names with compound extensions",
   "details": "Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as `CON`, `AUX`, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as `CON.txt`, or trailing spaces such as `CON `.\n\nThis was previously reported as https://github.com/pallets/werkzeug/security/advisories/GHSA-hgf8-39gv-g3f2, but the fix failed to account for compound extensions such as `CON.txt.html` or trailing spaces. It also missed some additional special names.\n\n`send_from_directory` uses `safe_join` to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"