PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4519 Python Software Foundation CVE debrief

CVE-2026-4519 is a high-severity vulnerability in the Python webbrowser.open() API. The API previously accepted leading dashes in URLs, which could be handled as command line options for certain web browsers. This behavior has been changed to reject leading dashes. Users are advised to sanitize URLs prior to passing them to webbrowser.open(). The vulnerability has a CVSS score of 7 and is considered high severity. The CVE was published on March 20, 2026, and modified on June 30, 2026.

Vendor
Python Software Foundation
Product
CPython
CVSS
HIGH 7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-20
Original CVE updated
2026-06-30
Advisory published
2026-03-20
Advisory updated
2026-06-30

Who should care

Developers and users of the Python webbrowser module should be aware of this vulnerability. The vulnerability could potentially be used to execute arbitrary commands on a user's system if an attacker can provide a malicious URL. Users of Python 3.13.13 and earlier, as well as users of Python 3.14.4 and earlier, are affected.

Technical summary

The webbrowser.open() API in Python previously accepted leading dashes in URLs, which could be interpreted as command line options by certain web browsers. This could potentially be used to execute arbitrary commands on a user's system. The behavior has been changed to reject leading dashes. The vulnerability is considered high severity with a CVSS score of 7. Affected versions include Python 3.13.13 and earlier, as well as Python 3.14.4 and earlier.

Defensive priority

High priority should be given to updating the Python webbrowser module to the latest version. Users should also ensure that URLs are properly sanitized before passing them to webbrowser.open().

Recommended defensive actions

  • Update the Python webbrowser module to the latest version.
  • Sanitize URLs prior to passing them to webbrowser.open().
  • Monitor for any suspicious activity related to the webbrowser module.
  • Consider implementing additional security measures to prevent command injection attacks.
  • Review and update any code that uses the webbrowser module to ensure it is secure.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. The source item URL provides additional details on the vulnerability, including references to patches and mitigations. The CVE was published on March 20, 2026, and modified on June 30, 2026.

Official resources

This article was generated with AI assistance based on the supplied source corpus.