CVE-2026-4519
Modified
Modified - Updated After Analysis
Command Injection Risk via Leading Dashes in Python webbrowser.open
Vulnerability report for CVE-2026-4519, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-03-20
Last updated on: 2026-06-30
Assigner: Python Software Foundation
Description
Description
The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize URLs
prior to passing to webbrowser.open().
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | python | 3.15.0 |
| python | python | 3.15.0 |
| python | python | to 3.13.13 (exc) |
| python | python | From 3.14.0 (inc) to 3.14.4 (exc) |
| python | python | 3.15.0 |
| python | python | 3.15.0 |
| python | python | 3.15.0 |
| python | python | 3.15.0 |
| python | python | 3.15.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |