Skip to main content

Urllib3 CVE-2020-26137

MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2020-09-30 cve@mitre.org
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 30, 2020 - 18:15 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 169 pypi packages depend on urllib3 (165 direct, 4 indirect)

Ecosystem-wide dependent count for version 1.25.9.

DescriptionNVD

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

AnalysisAI

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-74. urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. Affected products include: Python Urllib3, Canonical Ubuntu Linux, Debian Debian Linux, Oracle Communications Cloud Native Core Network Function Cloud Native Environment, Oracle Zfs Storage Appliance Kit. Version information: before 1.25.9.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-37891 MEDIUM POC
6.5 Jun 17

urllib3 is a user-friendly HTTP client library for Python. Rated medium severity (CVSS 6.5), this vulnerability is remot

CVE-2019-11236 MEDIUM POC
6.1 Apr 15

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parame

CVE-2018-20060 CRITICAL
9.8 Dec 11

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e.,

CVE-2025-50181 MEDIUM POC
5.3 Jun 19

urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all r

CVE-2026-21441 HIGH
8.9 Jan 07

Uncontrolled resource consumption in the Python urllib3 HTTP client library (versions 1.22 through 2.6.2) lets a malicio

CVE-2023-43804 HIGH
8.1 Oct 04

urllib3 is a user-friendly HTTP client library for Python. Rated high severity (CVSS 8.1), this vulnerability is remotel

CVE-2025-66418 HIGH
7.5 Dec 05

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of li

CVE-2025-66471 HIGH
7.5 Dec 05

A security vulnerability in version 1.0 and (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor

CVE-2021-33503 HIGH
7.5 Jun 29

An issue was discovered in urllib3 before 1.26.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploit

CVE-2020-7212 HIGH
7.5 Mar 06

The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denia

CVE-2019-11324 HIGH
7.5 Apr 18

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is differ

CVE-2021-28363 MEDIUM
6.5 Mar 15

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HT

Share

CVE-2020-26137 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy