CVE-2026-4786 — Argument Injection in Software Foundation Cpython

CWE-88 — Argument Injection CWE-77 — Command Injection17 documents5 sources

Severity

7.0HIGHNVD

EPSS

0.0%

top 97.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Software Foundation Cpython

Timeline

PublishedApr 13

Latest updateApr 14

Description

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

▶CVEListV5python_software_foundation/cpython< 3.15.0

🔴Vulnerability Details

GHSA

GHSA-cccx-m78h-m3xw: Mitgation of CVE-2026-4519 was incomplete↗2026-04-14

▶

CVEList

Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()↗2026-04-13

▶

📋Vendor Advisories

Red Hat

python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API↗2026-04-13

▶

💬Community

Bugzilla

CVE-2026-4786 python3.10: Python: Arbitrary code execution via command injection in webbrowser.open() API [fedora-all]↗2026-04-14

▶

Bugzilla

CVE-2026-4786 python3.13: Python: Arbitrary code execution via command injection in webbrowser.open() API [fedora-all]↗2026-04-14

▶

Bugzilla

CVE-2026-4786 asahi-installer: Python: Arbitrary code execution via command injection in webbrowser.open() API [fedora-all]↗2026-04-14

▶

Bugzilla

CVE-2026-4786 python3.13: Python: Arbitrary code execution via command injection in webbrowser.open() API [epel-all]↗2026-04-14

▶

Bugzilla

CVE-2026-4786 python3.15: Python: Arbitrary code execution via command injection in webbrowser.open() API [fedora-all]↗2026-04-14

▶