FKIE_CVE-2026-4519

Vulnerability from fkie_nvd - Published: 2026-03-20 15:16 - Updated: 2026-04-16 14:53
Severity ?
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
References
cna@python.orghttps://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270ddPatch
cna@python.orghttps://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866Patch
cna@python.orghttps://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73ePatch
cna@python.orghttps://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1Patch
cna@python.orghttps://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02bPatch
cna@python.orghttps://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4Patch
cna@python.orghttps://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76Patch
cna@python.orghttps://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96cPatch
cna@python.orghttps://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5Patch
cna@python.orghttps://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48Patch
cna@python.orghttps://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932Patch
cna@python.orghttps://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03Patch
cna@python.orghttps://github.com/python/cpython/issues/143930Issue Tracking, Patch
cna@python.orghttps://github.com/python/cpython/pull/143931Issue Tracking, Patch
cna@python.orghttps://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2026/03/20/1Mailing List, Third Party Advisory
Impacted products
Vendor Product Version
python python *
python python *
python python 3.15.0
python python 3.15.0
python python 3.15.0
python python 3.15.0
python python 3.15.0
python python 3.15.0
python python 3.15.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "74460139-CF2A-457B-82B4-7B655FB576B1",
              "versionEndExcluding": "3.13.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AA3B34C3-1E02-4674-8370-0DD4D24DBE58",
              "versionEndExcluding": "3.14.4",
              "versionStartIncluding": "3.14.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.15.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "A3327507-0B1D-4F28-A983-D07A2C8A7696",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.15.0:alpha2:*:*:*:*:*:*",
              "matchCriteriaId": "C8AF17F1-A27F-4C98-BA5A-B4319710E8D1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.15.0:alpha3:*:*:*:*:*:*",
              "matchCriteriaId": "24CF56B0-2F4E-42A2-B655-F493AA0A4815",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.15.0:alpha4:*:*:*:*:*:*",
              "matchCriteriaId": "7184ABBA-B100-489E-B5C1-1C9EEC0546CA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.15.0:alpha5:*:*:*:*:*:*",
              "matchCriteriaId": "B6D4181B-3E1B-499B-AAB1-50868A6A6AD3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.15.0:alpha6:*:*:*:*:*:*",
              "matchCriteriaId": "A52F6DD2-717D-4E8C-8DB7-00890BC1ABAE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.15.0:alpha7:*:*:*:*:*:*",
              "matchCriteriaId": "8C46C55C-801E-4F86-B669-8E6A12B4AB6F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open()."
    },
    {
      "lang": "es",
      "value": "La API webbrowser.open() aceptaba guiones iniciales en la URL que podr\u00edan ser interpretados como opciones de l\u00ednea de comandos para ciertos navegadores web. El nuevo comportamiento rechaza los guiones iniciales. Se recomienda a los usuarios sanear las URL antes de pasarlas a webbrowser.open()."
    }
  ],
  "id": "CVE-2026-4519",
  "lastModified": "2026-04-16T14:53:22.860",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 3.3,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.0,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "cna@python.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T15:16:24.057",
  "references": [
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73e"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/python/cpython/issues/143930"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/python/cpython/pull/143931"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2026/03/20/1"
    }
  ],
  "sourceIdentifier": "cna@python.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.