{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4519", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2026-03-20T15:01:11.126Z", "datePublished": "2026-03-20T15:08:32.576Z", "dateUpdated": "2026-03-25T17:32:00.548Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["webbrowser"], "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"lessThan": "3.15.0", "status": "affected", "version": "0", "versionType": "python"}]}], "credits": [{"lang": "en", "type": "coordinator", "value": "Seth Larson"}, {"lang": "en", "type": "remediation reviewer", "value": "Gregory P. Smith"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open()."}], "value": "The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open()."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-03-25T17:32:00.548Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/python/cpython/pull/143931"}, {"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/143930"}, {"tags": ["vendor-advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48"}], "source": {"discovery": "UNKNOWN"}, "title": "webbrowser.open() allows leading dashes in URLs", "x_generator": {"engine": "Vulnogram 0.6.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/20/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-20T20:07:08.244Z"}}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-20", "lang": "en", "description": "CWE-20 Improper Input Validation"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:30:47.809505Z", "id": "CVE-2026-4519", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:31:16.543Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/20/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-20T20:07:08.244Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4519", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T14:30:47.809505Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:30:34.843Z"}}], "cna": {"title": "webbrowser.open() allows leading dashes in URLs", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "coordinator", "value": "Seth Larson"}, {"lang": "en", "type": "remediation reviewer", "value": "Gregory P. Smith"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "modules": ["webbrowser"], "product": "CPython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.15.0", "versionType": "python"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/python/cpython/pull/143931", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/issues/143930", "tags": ["issue-tracking"]}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.6.0"}, "descriptions": [{"lang": "en", "value": "The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open().", "supportingMedia": [{"type": "text/html", "value": "The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open().", "base64": false}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-03-25T17:32:00.548Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4519", "state": "PUBLISHED", "dateUpdated": "2026-03-25T17:32:00.548Z", "dateReserved": "2026-03-20T15:01:11.126Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2026-03-20T15:08:32.576Z", "assignerShortName": "PSF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open()."}], "id": "CVE-2026-4519", "lastModified": "2026-03-25T18:16:33.073", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@python.org", "type": "Secondary"}]}, "published": "2026-03-20T15:16:24.057", "references": [{"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/issues/143930"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/pull/143931"}, {"source": "cna@python.org", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/20/1"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "python: Python: Command-line option injection in webbrowser.open() via crafted URLs", "id": "2449649", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449649"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-88", "details": ["A flaw was found in Python. The `webbrowser.open()` API, used to launch web browsers, does not properly sanitize input. This allows a remote attacker to craft a malicious URL containing leading dashes. When such a URL is opened, certain web browsers may interpret these dashes as command-line options, which could lead to unexpected behavior, information disclosure, or potentially arbitrary code execution, impacting the integrity of the system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-4519", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python39-devel:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python3.9", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-aws-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-azure-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-azure-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-gcp-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}], "public_date": "2026-03-20T15:08:32Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4519\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4519\nhttps://github.com/python/cpython/issues/143930\nhttps://github.com/python/cpython/pull/143931\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.15.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "CPython", "source": "cna", "vendor": "Python Software Foundation"}, "product": "cpython", "vendor": "python"}], "analysis": {"en": {"generated_at": "2026-03-25T16:41:13.793629+00:00", "value": {"mitigation_remediation": ["Update CPython to a version that includes the fix referenced in the advisory. ", "Sanitize all URLs before passing them to webbrowser.open(); strip leading dashes or validate against a strict regex for allowed URL schemes. ", "Restrict user input or whitelist approved URLs in applications that use webbrowser.open(). ", "If an immediate update is not feasible, consider rewriting the code to use alternative mechanisms that validate URLs before invoking the browser."], "summary": {"action": "Apply Patch", "impact": "Command Injection via webbrowser.open()"}, "threat_synthesis": {"affected_systems": "Python software, specifically the CPython interpreter\u2019s standard library webbrowser module, is affected. The vulnerability applies to any CPython installation that has not incorporated the patches referenced in the advisory; version numbers are not explicitly provided, so all pre\u2011patch releases are potentially vulnerable.", "description_and_impact": "The webbrowser.open() function in CPython accepts URLs that begin with a hyphen. Certain web browsers interpret such leading dashes as command\u2011line options, allowing an attacker to influence the browser\u2019s behavior or execute arbitrary commands. This lack of input validation is a classic command\u2011injection issue that can compromise confidentiality, integrity, or availability of the victim system.", "risk_and_exploitability": "With a CVSS score of 7, the vulnerability is of medium\u2011to\u2011high severity, yet an EPSS score of less than 1% indicates a low probability of exploitation. It is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a crafted URL to webbrowser.open() \u2013 typically in applications that accept user input \u2013 making the attack vector local to the user\u2019s code execution environment. The risk level is therefore contingent on the application's exposure to untrusted URLs."}}}}, "created": "2026-03-23T09:53:28.008059+00:00", "updated": "2026-03-25T21:28:16.132366+00:00", "vendors": ["python", "python$PRODUCT$cpython"]}