CVE-2026-39821
CriticalCVSS 9.6Exploitation Probability (EPSS)
Low risk38th percentile — higher than 38% of all known CVEs
Summary
The ToASCII and ToUnicode functions in the idna package incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") returns "example.com" instead of an error.
Risk Assessment
The risk is privilege escalation in programs using this package. An attacker can bypass access controls based on ASCII hostnames by using an encoded version that, after Unicode conversion, grants access to the protected resource.
Recommendation
Immediately update the idna package to a version that correctly rejects such invalid Punycode labels. Also review application code for similar vulnerabilities in domain name conversion handling.
Original NVD description (English source)
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

