Skip to main content

Cpython CVE-2026-4519

| EUVDEUVD-2026-13712 HIGH
Improper Input Validation (CWE-20)
2026-03-20 PSF
High
Disputed · 7.0 Vendor: PSF
Share

Severity by source

Sources disagree (Low–High)
Vendor (PSF) PRIMARY
7.0 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
3.3 LOW
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Red Hat
7.1 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: PSF

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 15:22 vuln.today
cvss_changed
EUVD ID Assigned
Mar 20, 2026 - 15:15 euvd
EUVD-2026-13712
Analysis Generated
Mar 20, 2026 - 15:15 vuln.today
Patch released
Mar 20, 2026 - 15:15 nvd
Patch available
CVE Published
Mar 20, 2026 - 15:08 nvd
HIGH 7.0

DescriptionCVE.org

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

AnalysisAI

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-line options rather than URLs, potentially leading to unintended command execution or information disclosure. This affects all CPython versions using the vulnerable webbrowser module. An attacker can craft a malicious URL containing leading dashes (e.g., '-P' or '--profile') that, when passed to webbrowser.open(), may trigger browser-specific behavior such as loading alternate profiles or executing browser commands, resulting in information disclosure or other security impacts.

Technical ContextAI

The vulnerability exists in CPython's webbrowser module, which is responsible for opening URLs in the user's default web browser. The root cause is improper input validation of the URL parameter before passing it to the underlying browser executable. Many command-line applications, including web browsers like Firefox and Chrome, interpret arguments beginning with dashes as command-line flags rather than positional arguments. The affected product is CPython (cpe:2.3:a:python_software_foundation:cpython:*:*:*:*:*:*:*:*), which means all versions of the CPython interpreter are affected unless patched. The underlying issue relates to insufficient sanitization of user-supplied input before use in system operations, a classic command-injection attack vector. The PSF patch (available at https://github.com/python/cpython/pull/143931) implements validation to reject URLs with leading dashes, preventing their interpretation as command-line options by downstream browser processes.

RemediationAI

Upgrade to the latest patched version of CPython that includes the fix for webbrowser.open() URL validation, as provided by the Python Software Foundation. Consult the official security advisory at https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/ and the CPython GitHub repository (https://github.com/python/cpython/pull/143931) for exact version information. As an immediate workaround, applications using webbrowser.open() should implement input validation to sanitize URLs and reject any URLs containing leading dashes before passing them to the API; the PSF recommends that users sanitize URLs prior to passing them to webbrowser.open(). Organizations should prioritize patching in their standard update cycles, particularly for production systems where user-controlled URLs may be processed.

CVE-2026-6100 CRITICAL
9.1 Apr 13

CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances a

CVE-2026-11972 HIGH
8.2 Jun 23

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted

CVE-2026-9669 HIGH
8.2 Jun 08

Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sen

CVE-2026-11940 HIGH
7.8 Jun 23

Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filter

CVE-2026-4786 HIGH
7.0 Apr 13

Command injection in CPython's webbrowser.open() API bypasses previous CVE-2026-4519 mitigation via specially crafted UR

CVE-2026-7774 MEDIUM
6.9 Jun 04

Path traversal in CPython's tarfile module allows malicious tar archives to bypass the data_filter safety mechanism and

CVE-2026-7210 MEDIUM
6.3 May 11

XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flo

CVE-2026-3276 MEDIUM
6.3 Jun 03

Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions

CVE-2026-8328 MEDIUM
5.9 May 13

Server-Side Request Forgery in CPython's ftplib module allows a malicious FTP source server to redirect a target FTP ser

CVE-2026-12003 MEDIUM
5.3 Jun 16

Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a mor

CVE-2026-0864 MEDIUM
4.1 Jun 23

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via con

CVE-2026-6019 LOW
2.1 Apr 22

CPython's http.cookies.Morsel.js_output() method generates inline script snippets that fail to neutralize the HTML parse

Vendor StatusVendor

Debian

jython
Release Status Fixed Version Urgency
bullseye vulnerable 2.7.2+repack1-3 -
forky, sid, bookworm, trixie vulnerable 2.7.3+repack1-1 -
(unstable) fixed (unfixed) -
pypy3
Release Status Fixed Version Urgency
bullseye vulnerable 7.3.5+dfsg-2+deb11u2 -
bullseye (security) vulnerable 7.3.5+dfsg-2+deb11u5 -
bookworm vulnerable 7.3.11+dfsg-2+deb12u3 -
trixie vulnerable 7.3.19+dfsg-2 -
forky vulnerable 7.3.20+dfsg-4 -
sid vulnerable 7.3.21+dfsg-2 -
(unstable) fixed (unfixed) -
python2.7
Release Status Fixed Version Urgency
bullseye vulnerable 2.7.18-8+deb11u1 -
(unstable) fixed (unfixed) -
python3.11
Release Status Fixed Version Urgency
bookworm vulnerable 3.11.2-6+deb12u6 -
bookworm (security) vulnerable 3.11.2-6+deb12u3 -
(unstable) fixed (unfixed) -
python3.13
Release Status Fixed Version Urgency
trixie vulnerable 3.13.5-2 -
forky, sid vulnerable 3.13.12-1 -
(unstable) fixed (unfixed) -
python3.14
Release Status Fixed Version Urgency
forky, sid vulnerable 3.14.3-2 -
(unstable) fixed (unfixed) -
python3.9
Release Status Fixed Version Urgency
bullseye vulnerable 3.9.2-1 -
bullseye (security) vulnerable 3.9.2-1+deb11u5 -
(unstable) fixed (unfixed) -

SUSE

Severity: Low
Product Status
Container suse/sl-micro/6.0/toolbox:latest Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.92 Affected
SUSE Liberty Linux 10 Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed

Share

CVE-2026-4519 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy