CVE-2026-4519 — Improper Input Validation in Software Foundation Cpython
Severity
7.0HIGHNVD
EPSS
0.0%
top 90.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 20
Latest updateApr 13
Description
The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize URLs
prior to passing to webbrowser.open().
CVSS vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected Packages1 packages
🔴Vulnerability Details
3📋Vendor Advisories
4🕵️Threat Intelligence
1💬Community
5Bugzilla▶
CVE-2026-4786 python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API↗2026-04-13
Bugzilla▶
CVE-2026-4519 python3.15: Python: Command-line option injection in webbrowser.open() via crafted URLs [fedora-all]↗2026-03-20
Bugzilla▶
CVE-2026-4519 python: Python: Command-line option injection in webbrowser.open() via crafted URLs↗2026-03-20
Bugzilla▶
CVE-2026-4519 python3.13: Python: Command-line option injection in webbrowser.open() via crafted URLs [epel-all]↗2026-03-20
Bugzilla▶
CVE-2026-4519 mingw-python3: Python: Command-line option injection in webbrowser.open() via crafted URLs [fedora-all]↗2026-03-20