VDB

ALPINE-CVE-2020-26137

ALPINE-CVE-2020-26137 PUBLISHED CVSS 6.5 MEDIUM

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Risk Scores

CVSS v3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersions
Alpine:v3.15py3-urllib31.18-r0, 0, 1.24.1-r0
Alpine:v3.13py3-urllib30, 1.25.8-r0, 1.25.7-r1
Alpine:v3.23py3-urllib31.25.2-r0, 1.25.8-r0, 1.25.7-r1
Alpine:v3.19py3-urllib31.25.8-r0, 1.18-r0, 1.21.1-r0
Alpine:v3.21py3-urllib31.25.1-r0, 0, 1.18-r0
Alpine:v3.20py3-urllib31.25.7-r1, 1.25.8-r0, 1.18-r0
Alpine:v3.18py3-urllib31.18-r0, 0, 1.25.8-r0
Alpine:v3.22py3-urllib31.25.7-r1, 1.25.8-r0, 1.18-r0
Alpine:v3.17py3-urllib30, 0, 1.18-r0
Alpine:v3.14py3-urllib31.22-r0, 1.25.8-r0, 1.25.7-r1
Alpine:v3.16py3-urllib31.25.7-r1, 1.21.1-r0, 1.22-r0

Timeline

  • Sep 30, 2020 CVE Published
  • Dec 3, 2025 CVE Updated
  • Apr 30, 2026 Distribution Patch

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›