CVE Catalog

CVE-2026-39821

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.48%

38th percentile — higher than 38% of all known CVEs

Summary

The ToASCII and ToUnicode functions in the idna package incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") returns "example.com" instead of an error.

Risk Assessment

The risk is privilege escalation in programs using this package. An attacker can bypass access controls based on ASCII hostnames by using an encoded version that, after Unicode conversion, grants access to the protected resource.

Recommendation

Immediately update the idna package to a version that correctly rejects such invalid Punycode labels. Also review application code for similar vulnerabilities in domain name conversion handling.

Original NVD description (English source)

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Vulnerability data from NVD (NIST) · CISA KEV · EPSS