Description
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
References (16)
Core 16
Core References
Patch patch
https://github.com/python/cpython/pull/143931
Issue Tracking issue-tracking
https://github.com/python/cpython/issues/143930
Vendor Advisory vendor-advisory
https://mail.python.org/archives/list/[email protected]/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/
Scores
CVSS v3
3.3
EPSS
0.0022
EPSS Percentile
12.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-20
Status
published
Products (6)
python/python
3.15.0 alpha1 (7 CPE variants)
python/python
< 3.13.13
Python Software Foundation/CPython
< 3.13.13
Python Software Foundation/CPython
< 3.15.0
Python Software Foundation/CPython
3.14.0 - 3.14.4
Python Software Foundation/CPython
3.15.0a1 - 3.15.0a8
Published
Mar 20, 2026
Tracked Since
Mar 20, 2026