一、漏洞信息
漏洞编号:CVE-2026-39821
漏洞归属组件:net
漏洞归属分支:默认分支
漏洞归属的版本:v0.23.0
漏洞修复版本: 0.55.0
CVSS分值:
BaseScore: 8.2 High
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
漏洞简述:
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
漏洞公开时间:2026-05-22 16:16:20
漏洞创建时间:2026-06-24 02:58:27
漏洞详情参考链接:
https://nvd.nist.gov/vuln/detail/CVE-2026-39821
一、漏洞信息
漏洞编号:CVE-2026-39821
漏洞归属组件:net
漏洞归属分支:默认分支
漏洞归属的版本:v0.23.0
漏洞修复版本: 0.55.0
CVSS分值:
BaseScore: 8.2 High
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
漏洞简述:
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
漏洞公开时间:2026-05-22 16:16:20
漏洞创建时间:2026-06-24 02:58:27
漏洞详情参考链接:
https://nvd.nist.gov/vuln/detail/CVE-2026-39821