Every CVE whose affected-product data names Python Urllib3, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (19)
CVE-2018-20060 — CVSS 9.8 (critical): urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that…
CVE-2025-66471 — CVSS 7.5 (high): urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles…
CVE-2021-33503 — CVSS 7.5 (high): An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the…
CVE-2026-44432 — CVSS 7.5 (high): urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the…
CVE-2026-21441 — CVSS 7.5 (high): urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by…
CVE-2025-66418 — CVSS 7.5 (high): urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the…
CVE-2019-11324 — CVSS 7.5 (high): The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS…
CVE-2020-7212 — CVSS 7.5 (high): The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU…
CVE-2021-28363 — CVSS 6.5 (medium): The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The…
CVE-2020-26137 — CVSS 6.5 (medium): urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF…
CVE-2018-25091 — CVSS 6.1 (medium): urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs…
CVE-2019-11236 — CVSS 6.1 (medium): In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
CVE-2023-43804 — CVSS 5.9 (medium): urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers…
CVE-2025-50182 — CVSS 5.3 (medium): urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects…
CVE-2025-50181 — CVSS 5.3 (medium): urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by…
CVE-2026-44431 — CVSS 5.3 (medium): urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via…
CVE-2024-37891 — CVSS 4.4 (medium): urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the…
CVE-2023-45803 — CVSS 4.2 (medium): urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect…
CVE-2016-9015 — CVSS 3.7 (low): Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not…