FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Python -- The webbrowser.open() API allows leading dashes

Affected packages
python310 < 3.10.20_2
python311 < 3.11.15_2
python312 < 3.12.13_2
python313 < 3.13.12_3
python313t < 3.13.12_3
0 <= python314

Details

VuXML ID 9fdad262-2e0f-11f1-88c7-00a098b42aeb
Discovery 2026-03-20
Entry 2026-04-01
Modified 2026-04-04

https://github.com/python/cpython/pull/143931 reports:

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

[source]

References

CVE Name CVE-2026-4519
URL https://cveawg.mitre.org/api/cve/CVE-2026-4519

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.