Home/Product/python urllib3
Product

python urllib3

19 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-44432
>= 2.6.0 and < 2.7.0
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of t
7.5HIGH
 CVE-2026-44431
>= 1.23 and < 2.7.0
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API vi
5.3MEDIUM
 CVE-2026-21441
>= 1.22 and < 2.6.3
urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP respons
7.5HIGH
 CVE-2025-66471
>= 1.0 and < 2.6.0
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperl
7.5HIGH
 CVE-2025-66418
>= 1.24 and < 2.6.0
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the
7.5HIGH
 CVE-2025-50182
>= 2.2.0 and < 2.5.0
urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control
5.3MEDIUM
 CVE-2025-50181
< 2.5.0
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by
5.3MEDIUM
 CVE-2024-37891
< 1.26.19
urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with ProxyManager, the `Proxy-Auth
4.4MEDIUM
 CVE-2023-45803
< 1.26.18
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP r
4.2MEDIUM
 CVE-2018-25091
< 1.24.2
urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that
6.1MEDIUM
 CVE-2023-43804
< 1.26.17
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any h
5.9MEDIUM
 CVE-2021-33503
>= 1.25.4 and < 1.26.5
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component
7.5HIGH
 CVE-2021-28363
>= 1.26.0 and < 1.26.4
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxie
6.5MEDIUM
 CVE-2020-26137
< 1.25.9
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and
6.5MEDIUM
 CVE-2020-7212
>= 1.25.2 and <= 1.25.7
The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of servi
7.5HIGH
 CVE-2019-11324
< 1.24.2
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from t
7.5HIGH
 CVE-2019-11236
<= 1.24.2
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
6.1MEDIUM
 CVE-2018-20060
< 1.23
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect
9.8CRITICAL
 CVE-2016-9015
all versions
Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, t
3.7LOW
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin