CVE-2026-4519

| EUVD-2026-13712 HIGH
2026-03-20 PSF
7.0
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Analysis Generated
Mar 20, 2026 - 15:15 vuln.today
EUVD ID Assigned
Mar 20, 2026 - 15:15 euvd
EUVD-2026-13712
Patch Released
Mar 20, 2026 - 15:15 nvd
Patch available
CVE Published
Mar 20, 2026 - 15:08 nvd
HIGH 7.0

Tags

Information Disclosure

Description

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

Analysis

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-line options rather than URLs, potentially leading to unintended command execution or information disclosure. This affects all CPython versions using the vulnerable webbrowser module. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 7 days: Identify all affected systems running the URL which could be handled as command line options for and apply vendor patches promptly. Vendor patch is available.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

35
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +35
POC: 0

Vendor Status

Debian

jython
Release Status Fixed Version Urgency
bullseye vulnerable 2.7.2+repack1-3 -
forky, sid, bookworm, trixie vulnerable 2.7.3+repack1-1 -
(unstable) fixed (unfixed) -
pypy3
Release Status Fixed Version Urgency
bullseye vulnerable 7.3.5+dfsg-2+deb11u2 -
bullseye (security) vulnerable 7.3.5+dfsg-2+deb11u5 -
bookworm vulnerable 7.3.11+dfsg-2+deb12u3 -
trixie vulnerable 7.3.19+dfsg-2 -
forky vulnerable 7.3.20+dfsg-4 -
sid vulnerable 7.3.21+dfsg-2 -
(unstable) fixed (unfixed) -
python2.7
Release Status Fixed Version Urgency
bullseye vulnerable 2.7.18-8+deb11u1 -
(unstable) fixed (unfixed) -
python3.11
Release Status Fixed Version Urgency
bookworm vulnerable 3.11.2-6+deb12u6 -
bookworm (security) vulnerable 3.11.2-6+deb12u3 -
(unstable) fixed (unfixed) -
python3.13
Release Status Fixed Version Urgency
trixie vulnerable 3.13.5-2 -
forky, sid vulnerable 3.13.12-1 -
(unstable) fixed (unfixed) -
python3.14
Release Status Fixed Version Urgency
forky, sid vulnerable 3.14.3-2 -
(unstable) fixed (unfixed) -
python3.9
Release Status Fixed Version Urgency
bullseye vulnerable 3.9.2-1 -
bullseye (security) vulnerable 3.9.2-1+deb11u5 -
(unstable) fixed (unfixed) -

Share

CVE-2026-4519 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy