CVE-2026-4519
Command Injection Risk via Leading Dashes in Python webbrowser.open
Publication date: 2026-03-20
Last updated on: 2026-04-16
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | python | 3.15.0 |
| python | python | 3.15.0 |
| python | python | to 3.13.13 (exc) |
| python | python | From 3.14.0 (inc) to 3.14.4 (exc) |
| python | python | 3.15.0 |
| python | python | 3.15.0 |
| python | python | 3.15.0 |
| python | python | 3.15.0 |
| python | python | 3.15.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-4519 is a security vulnerability in Python\'s webbrowser.open() API. The function previously accepted URLs that begin with leading dashes ("-"). These leading dashes could be interpreted as command line options by certain web browsers when the URL is passed to them, potentially causing unintended behavior or security risks.'}, {'type': 'paragraph', 'content': 'To address this, the updated behavior of webbrowser.open() now rejects URLs with leading dashes. Users are recommended to sanitize URLs before passing them to webbrowser.open() to avoid exploitation.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to security risks such as unintended command-line argument parsing or command injection when URLs with leading dashes are passed to web browsers via the webbrowser.open() function.
If exploited, it could cause the web browser to interpret parts of the URL as command line options, potentially leading to unexpected or malicious behavior.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the webbrowser.open() API accepting URLs with leading dashes, which can be interpreted as command line options by certain web browsers. Detection would involve identifying instances where URLs with leading dashes are passed to webbrowser.open() or monitoring for suspicious URL inputs starting with dashes.'}, {'type': 'paragraph', 'content': "Since this is a programming API issue rather than a network protocol vulnerability, detection on a network level is limited. On the system or application level, you can audit or log calls to webbrowser.open() and check if any URLs begin with a dash ('-')."}, {'type': 'paragraph', 'content': 'Suggested commands or methods to detect this might include:'}, {'type': 'list_item', 'content': 'Review application logs or add logging around calls to webbrowser.open() to capture URLs passed.'}, {'type': 'list_item', 'content': 'Use static code analysis or grep to find usage of webbrowser.open() with potentially unsafe URL inputs, for example: grep -r "webbrowser.open(\'-" ./your_codebase'}, {'type': 'list_item', 'content': 'If you have access to runtime debugging or tracing, monitor the parameters passed to webbrowser.open() to detect URLs starting with dashes.'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to sanitize URLs before passing them to webbrowser.open(), ensuring that URLs do not start with leading dashes.
Additionally, update your Python environment to a version where this vulnerability is fixed (versions including the patch applied on or after March 20, 2026). The fix rejects URLs with leading dashes in webbrowser.open().
If you maintain code that uses webbrowser.open(), implement input validation to reject or properly handle URLs starting with dashes to prevent them from being interpreted as command line options.