: Certain unauthenticated POST endpoints in simple Python web apps can be exploited for command injection. For instance, the "thesystem" application on Python 3.5.3 (and potentially later versions with similar code) allowed executing arbitrary commands via a parameter in a POST request to /run_command/ Werkzeug Debug Shell RCE
Normalize paths using os.path.abspath or urllib.parse.unquote and check that the final path is within the intended directory. wsgiserver 02 cpython 3104 exploit
You're referring to a vulnerability in the WSGI server, specifically a potential exploit in the wsgiserver module, which is part of the wsgiref library in Python. : Certain unauthenticated POST endpoints in simple Python