Skip to main content

Cpython CVE-2026-4786

| EUVDEUVD-2026-22134 HIGH
Command Injection (CWE-77)
2026-04-13 PSF GHSA-cccx-m78h-m3xw
7.0
CVSS 4.0 · Vendor: PSF
Share

Severity by source

Vendor (PSF) PRIMARY
7.0 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
4.0 MEDIUM
qualitative
Red Hat
7.1 HIGH
qualitative

Primary rating from Vendor (PSF).

CVSS VectorVendor: PSF

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:37 vuln.today
CVSS changed
Apr 13, 2026 - 22:52 NVD
7.0 (HIGH)
EUVD ID Assigned
Apr 13, 2026 - 22:00 euvd
EUVD-2026-22134
Analysis Generated
Apr 13, 2026 - 22:00 vuln.today
Patch released
Apr 13, 2026 - 22:00 nvd
Patch available
CVE Published
Apr 13, 2026 - 21:52 nvd
HIGH 7.0

DescriptionCVE.org

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

AnalysisAI

Command injection in CPython's webbrowser.open() API bypasses previous CVE-2026-4519 mitigation via specially crafted URLs containing '%action' patterns. All CPython versions prior to 3.15.0 are affected, allowing local attackers with user interaction to execute arbitrary commands through underlying shell injection. EPSS probability is low (0.02%, 5th percentile), no active exploitation confirmed (not in CISA KEV), but publicly available patches exist via multiple GitHub commits. The incomplete mitigation highlights the challenge of securing browser-handling code across diverse browser implementations.

Technical ContextAI

This vulnerability affects the Python Software Foundation's CPython interpreter (cpe:2.3:a:python_software_foundation:cpython), specifically the webbrowser module's open() API which provides cross-platform browser launching functionality. The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command), a command injection class vulnerability. The webbrowser module constructs shell commands to invoke external browsers, and the previous CVE-2026-4519 fix attempted to sanitize URLs but failed to account for '%action' URL patterns. When these patterns are present, certain browser types process the URL in ways that allow shell metacharacters to escape sanitization, ultimately reaching the underlying shell interpreter (via subprocess calls or similar mechanisms). The browser-type dependency explains the 'AT:P' (Attack Requirements: Present) rating in the CVSS vector, as exploitation success depends on the specific browser registered as the system default.

RemediationAI

Upgrade to CPython 3.15.0 or later, which includes complete fixes via GitHub commits c5767a72838a8dda9d6dc5d3558075b055c56bca, d22922c8a7958353689dc4763dd72da2dea03fff, and f4654824ae0850ac87227fb270f9057477946769 merged in PR #148170. For environments unable to upgrade immediately, avoid passing user-controlled or untrusted URLs to webbrowser.open() without rigorous input validation. Implement allowlisting for URL schemes (http/https only) and reject URLs containing '%action' patterns or shell metacharacters. Review application code for instances where webbrowser module processes external input. Consult GitHub issue #148169 for technical implementation details and vendor advisory at https://mail.python.org/archives/list/security-announce@python.org/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/ for additional mitigation guidance.

CVE-2026-6100 CRITICAL
9.1 Apr 13

CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances a

CVE-2026-11972 HIGH
8.2 Jun 23

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted

CVE-2026-9669 HIGH
8.2 Jun 08

Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sen

CVE-2026-11940 HIGH
7.8 Jun 23

Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filter

CVE-2026-4519 HIGH
7.0 Mar 20

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-l

CVE-2026-7774 MEDIUM
6.9 Jun 04

Path traversal in CPython's tarfile module allows malicious tar archives to bypass the data_filter safety mechanism and

CVE-2026-7210 MEDIUM
6.3 May 11

XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flo

CVE-2026-3276 MEDIUM
6.3 Jun 03

Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions

CVE-2026-8328 MEDIUM
5.9 May 13

Server-Side Request Forgery in CPython's ftplib module allows a malicious FTP source server to redirect a target FTP ser

CVE-2026-12003 MEDIUM
5.3 Jun 16

Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a mor

CVE-2026-0864 MEDIUM
4.1 Jun 23

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via con

CVE-2026-6019 LOW
2.1 Apr 22

CPython's http.cookies.Morsel.js_output() method generates inline script snippets that fail to neutralize the HTML parse

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-4786 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy