CVE-2026-39821CRITICAL 10.0EPSS p27.6%

CVE-2026-39821CVE-2026-39821

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS0.36% probability of exploitation · percentile 27.6% · 2026-06-18T12:00:27Z
Published2026-05-22
Last modified2026-05-22

Underlying weaknesses· 1

CWE-1289

References

  1. https://go.dev/cl/767220
  2. https://go.dev/issue/78760
  3. https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8
  4. https://pkg.go.dev/vuln/GO-2026-5026

1

TypeTargetConfidenceTier
WeaknessImproper Validation of Unsafe Equivalence in Inputcwe-12890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-45409
CVE
CVE-2026-42000
CVE
CVE-2026-3833
CVE
CVE-2026-49942
CVE
CVE-2026-49940
CVE
CVE-2026-42012
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.