CVE-2026-4786

Summary

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

Affected Software

VendorProductVersion RangeStatus
Python Software FoundationCPython0 < 3.13.14affected
Python Software FoundationCPython3.14.0a1 < 3.14.5rc1affected
Python Software FoundationCPython3.15.0a1 < 3.15.0b1affected

Weaknesses

  • CWE-77: CWE-77

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API

Additional References

References