CVE-2026-39821

Name of the Vulnerable Software and Affected Versions idna (affected versions not specified)

Description The ToASCII() and ToUnicode() functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For instance, ToUnicode("xn--example-.com") returns "example.com" instead of an error. This behavior can lead to privilege escalation in programs using the idna package; a program performing privilege checks on an ASCII hostname might reject "example.com" but permit "xn--example-.com", and subsequently granting access to "example.com" after converting the hostname to Unicode.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.