PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4786 Python Software Foundation CVE debrief

CVE-2026-4786 is a high-severity vulnerability that stems from the incomplete mitigation of CVE-2026-4519. The vulnerability allows for command injection into the underlying shell for certain browser types through the webbrowser.open() API when the URL contains the string '%action'. This issue was introduced due to an insufficient fix for CVE-2026-4519. The vulnerability has a CVSS score of 7 and is classified as HIGH.

Vendor
Python Software Foundation
Product
CPython
CVSS
HIGH 7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-13
Original CVE updated
2026-06-30
Advisory published
2026-04-13
Advisory updated
2026-06-30

Who should care

Developers and users of Python's webbrowser module should be aware of this vulnerability. Specifically, anyone using the webbrowser.open() API to handle URLs should take precautions to ensure that URLs are properly sanitized to prevent command injection attacks.

Technical summary

The CVE-2026-4786 vulnerability arises from the webbrowser module's handling of URLs. When the URL contains the string '%action', it can lead to command injection into the shell for certain browser types. This is a result of the incomplete mitigation for CVE-2026-4519. The vulnerability requires local access (AV:L), low attack complexity (AC:L), and user interaction (UI:A) to be exploited, with high impacts on confidentiality (VC:H) and integrity (VI:H).

Defensive priority

High priority should be given to applying patches or workarounds to prevent exploitation of this vulnerability. Developers should review and update their code to ensure URLs are properly sanitized before passing them to the webbrowser.open() function.

Recommended defensive actions

  • Apply official patches or updates to the Python webbrowser module as soon as they are available.
  • Ensure that all URLs passed to the webbrowser.open() function are thoroughly sanitized to prevent command injection.
  • Implement additional security measures such as input validation and output encoding to mitigate similar vulnerabilities.
  • Monitor for and respond to potential exploitation attempts.
  • Review and update code to use secure alternatives to the webbrowser.open() function if possible.

Evidence notes

The CVE-2026-4786 entry on the CVE website provides details about the vulnerability. The NVD entry offers additional information on the vulnerability's characteristics and potential impacts. Multiple references from the Python GitHub repository and Red Hat's errata pages provide further context and mitigation strategies.

Official resources

This article is AI-assisted and based on the supplied source corpus.