FKIE_CVE-2026-4519

Vulnerability from fkie_nvd - Published: 2026-03-20 15:16 - Updated: 2026-03-25 18:16
Severity ?
7.0 (High) - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
References
cna@python.orghttps://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866
cna@python.orghttps://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b
cna@python.orghttps://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76
cna@python.orghttps://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
cna@python.orghttps://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48
cna@python.orghttps://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03
cna@python.orghttps://github.com/python/cpython/issues/143930
cna@python.orghttps://github.com/python/cpython/pull/143931
cna@python.orghttps://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2026/03/20/1
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open()."
    }
  ],
  "id": "CVE-2026-4519",
  "lastModified": "2026-03-25T18:16:33.073",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.0,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "cna@python.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T15:16:24.057",
  "references": [
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866"
    },
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b"
    },
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76"
    },
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5"
    },
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48"
    },
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03"
    },
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/issues/143930"
    },
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/pull/143931"
    },
    {
      "source": "cna@python.org",
      "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/20/1"
    }
  ],
  "sourceIdentifier": "cna@python.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.