UPinar/contrastapi

v1.33.21 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 4d MCP Security & Auth

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

ai-agents ai-security api claude cve security

+13 more

domain-recon email-security email-validation llm-tools mcp mitre-atlas mitre-d3fend model-context-protocol osint sigma-rules threat-intelligence vulnerability-management web-intel

Affected surfaces

deps

ReleasePort's take

Light signal

editorial:auto 4d

The release patches CVE‑2026‑44432 in urllib3 by upgrading to 2.7.0 and patches CVE‑2026‑7246 in click by upgrading to 8.3.3.

Why it matters: CVE severity is high (severity 80) for both vulnerabilities; upgrade urllib3 to ≥2.7.0 and click to ≥8.3.3 immediately to mitigate risk.

Summary

AI summary

Updates Compatibility, HIGH, and Brotli across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Patches CVE-2026-44432 in urllib3 by upgrading to 2.7.0. Patches CVE-2026-44432 in urllib3 by upgrading to 2.7.0. Source: llm_adapter@2026-05-31 Confidence: high	—
Security	High	Patches CVE-2026-7246 in click by upgrading to 8.3.3. Patches CVE-2026-7246 in click by upgrading to 8.3.3. Source: llm_adapter@2026-05-31 Confidence: high	—
Dependency	Low	Upgrades urllib3 from 2.6.3 to 2.7.0. Upgrades urllib3 from 2.6.3 to 2.7.0. Source: llm_adapter@2026-05-31 Confidence: high	—
Dependency	Low	Upgrades click from 8.3.1 to 8.3.3. Upgrades click from 8.3.1 to 8.3.3. Source: llm_adapter@2026-05-31 Confidence: high	—

Full changelog

Security

Patches three CVEs in transitive dependencies by pinning the fixed upstream versions. No application behavior change — both packages are transitive-only with no direct imports in app code.

urllib3 2.6.3 → 2.7.0
- CVE-2026-44432 (HIGH): response could be fully decompressed instead of the requested portion on a second read(amt=N) / drain (Brotli).
- CVE-2026-44431 (MED): sensitive headers forwarded on cross-origin redirects via the low-level ProxyManager path.
click 8.3.1 → 8.3.3
- CVE-2026-7246 (HIGH): command injection in click.edit(). Not reachable from the server (click is transitive via uvicorn/typer; click.edit() is never called).

Compatibility

No schema, route, or contract change. MCP tools / Resources / Prompts unchanged (53 / 7 / 3).
Pinned explicitly for reproducibility; dependency graph resolves cleanly (pip check / pip-audit green).

Tests

2491 passed (no change — dependency-only bump).

Security Fixes

dep: CVE-2026-44432 (HIGH) — urllib3 2.7.0 fixes full decompression of Brotli responses on second read.
dep: CVE-2026-44431 (MED) — urllib3 2.7.0 prevents sensitive header forwarding on cross‑origin redirects via ProxyManager.
dep: CVE-2026-7246 (HIGH) — click 8.3.3 eliminates command injection in `click.edit()`; not reachable from the server.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track UPinar/contrastapi

Get notified when new releases ship.

About UPinar/contrastapi

Security intelligence API with 31 MCP tools for CVE/EPSS/KEV lookup, domain recon (DNS/WHOIS/SSL/subdomains/CT logs), IOC/threat intel, OSINT (email/phone/username), and code security scanning (secrets, injection). Free 100 req/hr.

All releases →

Related context

Related tools

Related CVEs

CVE-2026-44432 NVD KEV EPSS
CVE-2026-7246 NVD KEV EPSS

Earlier breaking changes

v1.33.11 `bulk_sigma_rule_lookup` now costs 1 credit per `rule_id`, changing from flat 1 credit/call.