You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
send_from_directory
About this tag
The send_from_directory tag on WindowsForum.com covers discussions about the Werkzeug web framework's send_from_directory helper function, particularly in the context of Windows security. Recent content highlights CVE-2026-21860, a vulnerability in Werkzeug's safe_join and send_from_directory functions that allows attackers to exploit Windows device-name semantics, causing web servers to hang. The flaw affects Werkzeug versions before 3.1.5 and was patched in that release. Topics include path-joining logic, reserved device names, and platform-specific security issues on Windows. This tag is relevant for developers and IT professionals using Werkzeug on Windows who need to understand and mitigate this vulnerability.
A subtle but important security gap in Werkzeug’s path-joining logic has resurfaced: attackers can craft filenames that exploit Windows’ legacy device-name semantics and cause web servers using Werkzeug’s safe_join/send_from_directory helpers to hang. This vulnerability, tracked as...