CVE-2026-4519 - Vulnerability Details

- webbrowser.open() allows leading dashes in URLs

Description

The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize URLs
prior to passing to webbrowser.open().

Published: 2026-03-20

Score: 7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The webbrowser.open() function in CPython accepts URLs that begin with a hyphen. Certain web browsers interpret such leading dashes as command‑line options, allowing an attacker to influence the browser’s behavior or execute arbitrary commands. This lack of input validation is a classic command‑injection issue that can compromise confidentiality, integrity, or availability of the victim system.

Affected Systems

Python software, specifically the CPython interpreter’s standard library webbrowser module, is affected. The vulnerability applies to any CPython installation that has not incorporated the patches referenced in the advisory; version numbers are not explicitly provided, so all pre‑patch releases are potentially vulnerable.

Risk and Exploitability

With a CVSS score of 7, the vulnerability is of medium‑to‑high severity, yet an EPSS score of less than 1% indicates a low probability of exploitation. It is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a crafted URL to webbrowser.open() – typically in applications that accept user input – making the attack vector local to the user’s code execution environment. The risk level is therefore contingent on the application's exposure to untrusted URLs.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Python Software Foundation

CPython

unaffected

Version	Status	Constraints
`0`	affected	< 3.13.13
`3.14.0`	affected	< 3.14.4
`3.15.0a1`	affected	< 3.15.0a8

No data.

Vendor Product Confidence Versions

Python

Cpython

95%

Version	Status	Scheme	Platform
`[0,3.15.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update CPython to a version that includes the fix referenced in the advisory.
Sanitize all URLs before passing them to webbrowser.open(); strip leading dashes or validate against a strict regex for allowed URL schemes.
Restrict user input or whitelist approved URLs in applications that use webbrowser.open().
If an immediate update is not feasible, consider rewriting the code to use alternative mechanisms that validate URLs before invoking the browser.

Generated by OpenCVE AI on March 25, 2026 at 16:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/03/20/1
https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd
https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866
https://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73e
https://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1
https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b
https://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4
https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76
https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c
https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48
https://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932
https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03
https://github.com/python/cpython/issues/143930
https://github.com/python/cpython/pull/143931
https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/
https://nvd.nist.gov/vuln/detail/CVE-2026-4519
https://www.cve.org/CVERecord?id=CVE-2026-4519

History

Tue, 07 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd https://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73e https://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1 https://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4 https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c https://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932

Wed, 25 Mar 2026 17:45:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48

Wed, 25 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866 https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76 https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5 https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03

Mon, 23 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Python Python cpython
Vendors & Products		Python Python cpython

Sat, 21 Mar 2026 05:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-88
References		https://nvd.nist.gov/vuln/detail/CVE-2026-4519 https://www.cve.org/CVERecord?id=CVE-2026-4519
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L'}` threat_severity `Important`

Fri, 20 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/03/20/1

Fri, 20 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV4_0 `{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}`	cvssV4_0 `{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Fri, 20 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
Title		webbrowser.open() allows leading dashes in URLs
References		https://github.com/python/cpython/issues/143930 https://github.com/python/cpython/pull/143931 https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/
Metrics		cvssV4_0 `{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Python Cpython

MITRE

Status: PUBLISHED

Assigner: PSF

Published: 2026-03-20T15:08:32.576Z

Updated: 2026-04-13T21:47:40.137Z

Reserved: 2026-03-20T15:01:11.126Z

Link: CVE-2026-4519

Vulnrichment

Updated: 2026-03-20T20:07:08.244Z

NVD

Status : Awaiting Analysis

Published: 2026-03-20T15:16:24.057

Modified: 2026-04-07T18:16:47.223

Link: CVE-2026-4519

Redhat

Severity : Important

Publid Date: 2026-03-20T15:08:32Z

Links: CVE-2026-4519 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-25T21:28:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object