{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-4519","assignerOrgId":"28c92f92-d60d-412d-b760-e73465c3df22","state":"PUBLISHED","assignerShortName":"PSF","dateReserved":"2026-03-20T15:01:11.126Z","datePublished":"2026-03-20T15:08:32.576Z","dateUpdated":"2026-04-13T21:47:40.137Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["webbrowser"],"product":"CPython","repo":"https://github.com/python/cpython","vendor":"Python Software Foundation","versions":[{"lessThan":"3.13.13","status":"affected","version":"0","versionType":"python"},{"lessThan":"3.14.4","status":"affected","version":"3.14.0","versionType":"python"},{"lessThan":"3.15.0a8","status":"affected","version":"3.15.0a1","versionType":"python"}]}],"credits":[{"lang":"en","type":"coordinator","value":"Seth Larson"},{"lang":"en","type":"remediation reviewer","value":"Gregory P. Smith"},{"lang":"en","type":"reporter","value":"an7y"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open()."}],"value":"The webbrowser.open() API would accept leading dashes in the URL which \ncould be handled as command line options for certain web browsers. New \nbehavior rejects leading dashes. Users are recommended to sanitize URLs \nprior to passing to webbrowser.open()."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"LOCAL","baseScore":7,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"ACTIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"providerMetadata":{"orgId":"28c92f92-d60d-412d-b760-e73465c3df22","shortName":"PSF","dateUpdated":"2026-04-13T21:47:40.137Z"},"references":[{"tags":["patch"],"url":"https://github.com/python/cpython/pull/143931"},{"tags":["issue-tracking"],"url":"https://github.com/python/cpython/issues/143930"},{"tags":["vendor-advisory"],"url":"https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73e"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c"},{"tags":["patch"],"url":"https://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932"}],"source":{"discovery":"UNKNOWN"},"title":"webbrowser.open() allows leading dashes in URLs","x_generator":{"engine":"Vulnogram 0.6.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/03/20/1"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-03-20T20:07:08.244Z"}},{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-20","lang":"en","description":"CWE-20 Improper Input Validation"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-25T14:30:47.809505Z","id":"CVE-2026-4519","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-25T14:31:16.543Z"}}]}}