CVE-2026-39821
ADVISORY - nistSummary
The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".
EPSS Score: 0.00045 (0.141)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Improper Validation of Unsafe Equivalence in Input
NIST
CREATED
UPDATED
ADVISORY IDCVE-2026-39821
EXPLOITABILITY SCORE
3.1
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
9.6criticalUbuntu
CREATED
UPDATED
ADVISORY IDCVE-2026-39821
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/AmediumGoLang
CREATED
UPDATED
ADVISORY IDGO-2026-5026
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-