CVE-2026-4519
7
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Python Software Foundation | CPython | 0 < 3.13.13 | affected |
| Python Software Foundation | CPython | 3.14.0 < 3.14.4 | affected |
| Python Software Foundation | CPython | 3.15.0a1 < 3.15.0a8 | affected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
python: Python: Command-line option injection in webbrowser.open() via crafted URLs
Additional References
- https://access.redhat.com/security/cve/CVE-2026-4519
- https://bugzilla.redhat.com/show_bug.cgi?id=2449649
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4519.json
- https://access.redhat.com/errata/RHSA-2026:10102
- https://access.redhat.com/errata/RHSA-2026:9614
- https://access.redhat.com/errata/RHSA-2026:9745
- https://access.redhat.com/errata/RHSA-2026:13812
- https://access.redhat.com/errata/RHSA-2026:7244
- https://access.redhat.com/errata/RHSA-2026:6256
- https://access.redhat.com/errata/RHSA-2026:19064
- https://access.redhat.com/errata/RHSA-2026:19019
- https://access.redhat.com/errata/RHSA-2026:6473
- https://access.redhat.com/errata/RHSA-2026:6281
- https://access.redhat.com/errata/RHSA-2026:6283
- https://access.redhat.com/errata/RHSA-2026:9387
- https://access.redhat.com/errata/RHSA-2026:9621
- https://access.redhat.com/errata/RHSA-2026:9386
- https://access.redhat.com/errata/RHSA-2026:9289
- https://access.redhat.com/errata/RHSA-2026:9591
- https://access.redhat.com/errata/RHSA-2026:9261
- https://access.redhat.com/errata/RHSA-2026:9262
- https://access.redhat.com/errata/RHSA-2026:9260
- https://access.redhat.com/errata/RHSA-2026:10101
- https://access.redhat.com/errata/RHSA-2026:9042
- https://access.redhat.com/errata/RHSA-2026:10111
- https://access.redhat.com/errata/RHSA-2026:9354
- https://access.redhat.com/errata/RHSA-2026:9705
- https://access.redhat.com/errata/RHSA-2026:7010
- https://access.redhat.com/errata/RHSA-2026:6766
- https://access.redhat.com/errata/RHSA-2026:6286
- https://access.redhat.com/errata/RHSA-2026:6285
- https://access.redhat.com/errata/RHSA-2026:19216
- https://access.redhat.com/errata/RHSA-2026:19175
- https://access.redhat.com/errata/RHSA-2026:19177
- https://access.redhat.com/errata/RHSA-2026:19176
- https://access.redhat.com/errata/RHSA-2026:25096
- https://access.redhat.com/errata/RHSA-2026:7335
- https://access.redhat.com/errata/RHSA-2026:19724
- https://access.redhat.com/errata/RHSA-2026:19725
- https://access.redhat.com/errata/RHSA-2026:16008
- https://access.redhat.com/errata/RHSA-2026:8748
- https://access.redhat.com/errata/RHSA-2026:8746
- https://access.redhat.com/errata/RHSA-2026:16030
- https://access.redhat.com/errata/RHSA-2026:8747
- https://access.redhat.com/errata/RHSA-2026:16009
- https://access.redhat.com/errata/RHSA-2026:16174
- https://access.redhat.com/errata/RHSA-2026:7329
- https://access.redhat.com/errata/RHSA-2026:10140
- https://access.redhat.com/errata/RHSA-2026:10141
- https://access.redhat.com/errata/RHSA-2026:6016
- https://access.redhat.com/errata/RHSA-2026:6035
- https://access.redhat.com/errata/RHSA-2026:7443
- https://access.redhat.com/errata/RHSA-2026:7661
- https://access.redhat.com/errata/RHSA-2026:21275
- https://access.redhat.com/errata/RHSA-2026:10065
References
- https://github.com/python/cpython/pull/143931
- https://github.com/python/cpython/issues/143930
- https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/
- https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866
- https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b
- https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76
- https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
- https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03
- https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48
- https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd
- https://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73e
- https://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1
- https://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4
- https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c
- https://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.