PT-2026-26624 · Python+2 · Cpython+2
An7Y
+1
·
Published
2026-01-01
·
Updated
2026-05-19
·
CVE-2026-4519
CVSS v4.0
7.0
High
| Vector | AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
CPython (affected versions not specified)
Description
The
webbrowser.open() API accepted leading dashes in URLs, which could be interpreted as command line options by certain web browsers. This behavior has been modified to reject leading dashes. The issue involves the potential for command execution through crafted URLs passed to the webbrowser.open() function. The vulnerable component is the webbrowser.open() API endpoint. The vulnerable parameter is the URL passed to the webbrowser.open() function.Recommendations
Sanitize URLs prior to passing them to the
webbrowser.open() function.Fix
DoS
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cpython
Red Os
Rocky Linux