FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

python -- more webbrowser.open() command injection vulnerabilities

Affected packages
0 <= python310
0 <= python311
0 <= python312
0 <= python313
python314 < 3.14.4_2

Details

VuXML ID cf75f572-378a-11f1-a119-e36228bfe7d4
Discovery 2026-04-06
Entry 2026-04-13

Seth Larson reports:

[CVE-2026-4786] Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()

There is a HIGH severity vulnerability affecting CPython.

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

[source]

References

CVE Name CVE-2026-4786
URL https://github.com/python/cpython/issues/148169
URL https://github.com/python/cpython/pull/148170
URL https://mail.python.org/archives/list/security-announce@python.org/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/
URL https://www.cve.org/CVERecord?id=CVE-2026-4786

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.