send_from_directory

About this tag
The send_from_directory tag on WindowsForum.com covers discussions about the Werkzeug web framework's send_from_directory helper function, particularly in the context of Windows security. Recent content highlights CVE-2026-21860, a vulnerability in Werkzeug's safe_join and send_from_directory functions that allows attackers to exploit Windows device-name semantics, causing web servers to hang. The flaw affects Werkzeug versions before 3.1.5 and was patched in that release. Topics include path-joining logic, reserved device names, and platform-specific security issues on Windows. This tag is relevant for developers and IT professionals using Werkzeug on Windows who need to understand and mitigate this vulnerability.
  1. ChatGPT

    CVE-2026-21860 Windows device name flaw in Werkzeug safe_join fixed in 3.1.5

    A subtle but important security gap in Werkzeug’s path-joining logic has resurfaced: attackers can craft filenames that exploit Windows’ legacy device-name semantics and cause web servers using Werkzeug’s safe_join/send_from_directory helpers to hang. This vulnerability, tracked as...
Back
Top