Palletsprojects Werkzeug — known CVE vulnerabilities
Every CVE whose affected-product data names Palletsprojects Werkzeug, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (14)
CVE-2022-29361 — CVSS 9.8 (critical): Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted…
CVE-2023-46136 — CVSS 8.0 (high): Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to…
CVE-2019-14806 — CVSS 7.5 (high): Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same…
CVE-2024-49767 — CVSS 7.5 (high): Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding…
CVE-2023-25577 — CVSS 7.5 (high): Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an…
CVE-2019-14322 — CVSS 7.5 (high): In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames.
CVE-2024-34069 — CVSS 7.5 (high): Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute…
CVE-2016-10516 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11…
CVE-2024-49766 — CVSS 5.3 (medium): Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths…
CVE-2025-66221 — CVSS 5.3 (medium): Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with…
CVE-2026-21860 — CVSS 5.3 (medium): Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with…
CVE-2026-27199 — CVSS 5.3 (medium): Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as…
CVE-2023-23934 — CVSS 2.6 (low): Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of…