Palletsprojects

Werkzeug

12 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.3

CVE-2025-66221

  • EPSS 0.08%
  • Veröffentlicht 29.11.2025 02:28:34
  • Zuletzt bearbeitet 03.12.2025 15:27:49

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly prese...

5.3

CVE-2024-49766

  • EPSS 0.79%
  • Veröffentlicht 25.10.2024 20:15:04
  • Zuletzt bearbeitet 03.12.2025 15:29:37

Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, po...

7.5

CVE-2024-49767

  • EPSS 1.18%
  • Veröffentlicht 25.10.2024 20:15:04
  • Zuletzt bearbeitet 03.01.2025 12:15:26

Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) a...

7.5

CVE-2024-34069

  • EPSS 41.94%
  • Veröffentlicht 06.05.2024 15:15:23
  • Zuletzt bearbeitet 03.12.2025 15:32:11

Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to intera...

7.5

CVE-2023-46136

  • EPSS 0.51%
  • Veröffentlicht 25.10.2023 18:17:36
  • Zuletzt bearbeitet 21.11.2024 08:27:57

Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and ...

3.5

CVE-2023-23934

  • EPSS 0.24%
  • Veröffentlicht 14.02.2023 20:15:17
  • Zuletzt bearbeitet 21.11.2024 07:47:07

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a...

7.5

CVE-2023-25577

  • EPSS 0.33%
  • Veröffentlicht 14.02.2023 20:15:17
  • Zuletzt bearbeitet 21.11.2024 07:49:45

Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to...

9.8

CVE-2022-29361

  • EPSS 31.11%
  • Veröffentlicht 25.05.2022 01:15:07
  • Zuletzt bearbeitet 21.11.2024 06:58:58

Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior ...

6.1

CVE-2020-28724

Exploit
  • EPSS 0.92%
  • Veröffentlicht 18.11.2020 15:15:12
  • Zuletzt bearbeitet 21.11.2024 05:23:09

Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.

7.5

CVE-2019-14806

  • EPSS 0.26%
  • Veröffentlicht 09.08.2019 15:15:12
  • Zuletzt bearbeitet 21.11.2024 04:27:23

Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.