cvedb.io
CVE-2024-49766
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2024-10-25T20:15:04.410 · Last modified 2026-06-17T08:00:24.517

Summary

Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.

Affected products

palletsprojects — werkzeug

Does this affect you?

Add your gear to cvedb and we'll alert you only when palletsprojects ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.