CVE-2026-4519

LOW

webbrowser.open() allows leading dashes in URLs

Title source: cna

Description

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

References (16)

[Patch] https://github.com/python/cpython/pull/143931

[Issue Tracking] https://github.com/python/cpython/issues/143930

[Vendor Advisory] https://mail.python.org/archives/list/[email protected]/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/

[Mailing List] http://www.openwall.com/lists/oss-security/2026/03/20/1

[Patch] https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48

[Patch] https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866

[Patch] https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b

[Patch] https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76

[Patch] https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5

[Patch] https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03

View Patch ZIP pw:eip

[Patch] https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd

[Patch] https://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73e

[Patch] https://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1

[Patch] https://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4

[Patch] https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c

[Patch] https://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932

Scores

CVSS v3 3.3

EPSS 0.0001

EPSS Percentile 0.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (6)

python/python 3.15.0 alpha1 (7 CPE variants)

python/python < 3.13.13

Python Software Foundation/CPython < 3.13.13

Python Software Foundation/CPython < 3.15.0

Python Software Foundation/CPython 3.14.0 - 3.14.4

Python Software Foundation/CPython 3.15.0a1 - 3.15.0a8

Published Mar 20, 2026

Tracked Since Mar 20, 2026