{"id":"PYSEC-2026-251","details":"WebOb provides objects for HTTP requests and responses. Prior to 1.8.10, the normalization of the HTTP Location header during a redirect is vulnerable to an open redirect: WebOb joins the redirect target to the request URI using Python's urljoin, and since Python 3.10 the underlying urlsplit strips ASCII tab, carriage return, and newline characters before parsing, so a redirect target containing such characters can be reinterpreted as a protocol-relative URL whose authority is an attacker-controlled host. This bypasses the CVE-2024-42353 fix that escaped a leading double slash, allowing an attacker who influences the redirect location to send users to an arbitrary external site instead of the intended one. This vulnerability is fixed in 1.8.10.","aliases":["CVE-2026-44889","GHSA-fh3h-vg37-cc95"],"modified":"2026-06-27T11:15:06.802750750Z","published":"2026-06-22T22:16:46.350Z","references":[{"type":"ADVISORY","url":"https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95"}],"affected":[{"package":{"name":"webob","ecosystem":"PyPI","purl":"pkg:pypi/webob"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.10"}]}],"versions":["0.8","0.8.1","0.8.2","0.8.3","0.8.4","0.8.5","0.9","0.9.1","0.9.2","0.9.3","0.9.4","0.9.5","0.9.6","0.9.6.1","0.9.7","0.9.7.1","0.9.8","1.0","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.1","1.1.1","1.1b2","1.1beta1","1.1rc1","1.2","1.2.1","1.2.2","1.2.3","1.2b1","1.2b2","1.2b3","1.2rc1","1.3","1.3.1","1.4","1.4.1","1.4.2","1.5.0","1.5.0a0","1.5.0a1","1.5.0b0","1.5.1","1.6.0","1.6.0a0","1.6.1","1.6.2","1.6.3","1.6.4","1.7.0","1.7.0rc1","1.7.0rc2","1.7.1","1.7.2","1.7.3","1.7.4","1.8.0","1.8.0rc1","1.8.1","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","1.8.9"],"ecosystem_specific":{},"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/webob/PYSEC-2026-251.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}