PatchSiren cyber security CVE debrief
CVE-2026-4519 Python Software Foundation CVE debrief
CVE-2026-4519 is a high-severity vulnerability in the Python webbrowser.open() API. The API previously accepted leading dashes in URLs, which could be handled as command line options for certain web browsers. This behavior has been changed to reject leading dashes. Users are advised to sanitize URLs prior to passing them to webbrowser.open(). The vulnerability has a CVSS score of 7 and is considered high severity. The CVE was published on March 20, 2026, and modified on June 30, 2026.
- Vendor
- Python Software Foundation
- Product
- CPython
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-20
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-20
- Advisory updated
- 2026-06-30
Who should care
Developers and users of the Python webbrowser module should be aware of this vulnerability. The vulnerability could potentially be used to execute arbitrary commands on a user's system if an attacker can provide a malicious URL. Users of Python 3.13.13 and earlier, as well as users of Python 3.14.4 and earlier, are affected.
Technical summary
The webbrowser.open() API in Python previously accepted leading dashes in URLs, which could be interpreted as command line options by certain web browsers. This could potentially be used to execute arbitrary commands on a user's system. The behavior has been changed to reject leading dashes. The vulnerability is considered high severity with a CVSS score of 7. Affected versions include Python 3.13.13 and earlier, as well as Python 3.14.4 and earlier.
Defensive priority
High priority should be given to updating the Python webbrowser module to the latest version. Users should also ensure that URLs are properly sanitized before passing them to webbrowser.open().
Recommended defensive actions
- Update the Python webbrowser module to the latest version.
- Sanitize URLs prior to passing them to webbrowser.open().
- Monitor for any suspicious activity related to the webbrowser module.
- Consider implementing additional security measures to prevent command injection attacks.
- Review and update any code that uses the webbrowser module to ensure it is secure.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability. The source item URL provides additional details on the vulnerability, including references to patches and mitigations. The CVE was published on March 20, 2026, and modified on June 30, 2026.
Official resources
-
CVE-2026-4519 CVE record
CVE.org
-
CVE-2026-4519 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Patch
This article was generated with AI assistance based on the supplied source corpus.