CVE-2026-4519
Published: March 21, 2026Last modified: March 28, 2026
Description
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 3.3 |
| Attack Vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity impact | LOW |
| Availability impact | NONE |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | python3 | Fixed (3.11.15-r1) |
| 25 LTS | python3 | Fixed (3.12.13-r1) | |
| Stream | python3 | Fixed (3.12.13-r1) | |
| Hardened Containers | 23 LTS | python3 | Fixed (3.11.15-r1) |
| 25 LTS | python3 | Fixed (3.12.13-r1) | |
| Stream | python3 | Fixed (3.12.13-r1) |
References
- http://www.openwall.com/lists/oss-security/2026/03/20/1
- https://access.redhat.com/errata/RHSA-2026:10065
- https://access.redhat.com/errata/RHSA-2026:10101
- https://access.redhat.com/errata/RHSA-2026:10102
- https://access.redhat.com/errata/RHSA-2026:10111
- https://access.redhat.com/errata/RHSA-2026:10140
- https://access.redhat.com/errata/RHSA-2026:10141
- https://access.redhat.com/errata/RHSA-2026:13812
- https://access.redhat.com/errata/RHSA-2026:16008
- https://access.redhat.com/errata/RHSA-2026:16009
- https://access.redhat.com/errata/RHSA-2026:16030
- https://access.redhat.com/errata/RHSA-2026:16174
- https://access.redhat.com/errata/RHSA-2026:19019
- https://access.redhat.com/errata/RHSA-2026:19064
- https://access.redhat.com/errata/RHSA-2026:19175
- https://access.redhat.com/errata/RHSA-2026:19176
- https://access.redhat.com/errata/RHSA-2026:19177
- https://access.redhat.com/errata/RHSA-2026:19216
- https://access.redhat.com/errata/RHSA-2026:19724
- https://access.redhat.com/errata/RHSA-2026:19725
- https://access.redhat.com/errata/RHSA-2026:21275
- https://access.redhat.com/errata/RHSA-2026:25096
- https://access.redhat.com/errata/RHSA-2026:6016
- https://access.redhat.com/errata/RHSA-2026:6035
- https://access.redhat.com/errata/RHSA-2026:6256
- https://access.redhat.com/errata/RHSA-2026:6281
- https://access.redhat.com/errata/RHSA-2026:6283
- https://access.redhat.com/errata/RHSA-2026:6285
- https://access.redhat.com/errata/RHSA-2026:6286
- https://access.redhat.com/errata/RHSA-2026:6473
- https://access.redhat.com/errata/RHSA-2026:6766
- https://access.redhat.com/errata/RHSA-2026:7010
- https://access.redhat.com/errata/RHSA-2026:7244
- https://access.redhat.com/errata/RHSA-2026:7329
- https://access.redhat.com/errata/RHSA-2026:7335
- https://access.redhat.com/errata/RHSA-2026:7443
- https://access.redhat.com/errata/RHSA-2026:7661
- https://access.redhat.com/errata/RHSA-2026:8746
- https://access.redhat.com/errata/RHSA-2026:8747
- https://access.redhat.com/errata/RHSA-2026:8748
- https://access.redhat.com/errata/RHSA-2026:9042
- https://access.redhat.com/errata/RHSA-2026:9260
- https://access.redhat.com/errata/RHSA-2026:9261
- https://access.redhat.com/errata/RHSA-2026:9262
- https://access.redhat.com/errata/RHSA-2026:9289
- https://access.redhat.com/errata/RHSA-2026:9354
- https://access.redhat.com/errata/RHSA-2026:9386
- https://access.redhat.com/errata/RHSA-2026:9387
- https://access.redhat.com/errata/RHSA-2026:9591
- https://access.redhat.com/errata/RHSA-2026:9614
- https://access.redhat.com/errata/RHSA-2026:9621
- https://access.redhat.com/errata/RHSA-2026:9705
- https://access.redhat.com/errata/RHSA-2026:9745
- https://access.redhat.com/security/cve/CVE-2026-4519
- https://bugzilla.redhat.com/show_bug.cgi?id=2449649
- https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd
- https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866
- https://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73e
- https://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1
- https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b
- https://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4
- https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76
- https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c
- https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
- https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48
- https://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932
- https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03
- https://github.com/python/cpython/issues/143930
- https://github.com/python/cpython/pull/143931
- https://mail.python.org/archives/list/[email protected]/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4519.json