PYSEC-2026-141

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2026-141.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2026-141

Aliases

Published

2026-05-13T16:16:57.150Z

Modified

2026-05-20T09:19:20.983812Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connectionfromurl().urlopen(..., assertsamehost=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

References

https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc

Affected packages

PyPI / urllib3

Package

Name: urllib3; View open source insights on deps.dev
Purl: pkg:pypi/urllib3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.23

Fixed

2.7.0

Affected versions

1.*

1.23

1.24

1.24.1

1.24.2

1.24.3

1.25

1.25.1

1.25.2

1.25.3

1.25.4

1.25.5

1.25.6

1.25.7

1.25.8

1.25.9

1.25.10

1.25.11

1.26.0

1.26.1

1.26.2

1.26.3

1.26.4

1.26.5

1.26.6

1.26.7

1.26.8

1.26.9

1.26.10

1.26.11

1.26.12

1.26.13

1.26.14

1.26.15

1.26.16

1.26.17

1.26.18

1.26.19

1.26.20

2.*

2.0.0a1

2.0.0a2

2.0.0a3

2.0.0a4

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.1.0

2.2.0

2.2.1

2.2.2

2.2.3

2.3.0

2.4.0

2.5.0

2.6.0

2.6.1

2.6.2

2.6.3

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2026-141.yaml"