CPython webbrowser.open() Leading-Dash URL Injection in 3.15
CVE-2026-4519 Published on March 20, 2026
webbrowser.open() allows leading dashes in URLs
The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize URLs
prior to passing to webbrowser.open().
Vulnerability Analysis
CVE-2026-4519 can be exploited with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and a small impact on availability.
Privileges Required:
NONE
User Interaction:
REQUIRED
Confidentiality Impact:
HIGH
Weakness Types
Improper Input Validation
The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly.
What is an Argument Injection Vulnerability?
The software constructs a string for a command to executed by a separate component
in another control sphere, but it does not properly delimit the
intended arguments, options, or switches within that command string.
CVE-2026-4519 has been classified to as an Argument Injection vulnerability or weakness.
Products Associated with CVE-2026-4519
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-4519 are published in these products:
Affected Versions
Python Software Foundation
CPython:
-
Before 3.13.13
is affected.
-
Version 3.14.0 and below 3.14.4
is affected.
-
Version 3.15.0a1 and below 3.15.0a8
is affected.
Red Hat Enterprise Linux Server -EXTENSION(v. 6 ELS-EXTENSION):
Red Hat Enterprise Linux Server Optional -EXTENSION (v. 6 ELS -EXTENSION):
Red Hat Enterprise Linux Server (v. 7 ELS):
Red Hat Enterprise Linux Server Optional (v. 7 ELS):
Red Hat
Middleware Containers for OpenShift:
Red Hat Enterprise Linux AppStream EUS (v. 10.0):
Red Hat Enterprise Linux AppStream (v. 10):
Red Hat Enterprise Linux AppStream (v. 8):
Red Hat Enterprise Linux AppStream AUS (v. 8.2):
Red Hat Enterprise Linux AppStream AUS (v.8.4):
Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4):
Red Hat Enterprise Linux AppStream AUS (v.8.6):
Red Hat Enterprise Linux AppStream E4S (v.8.6):
Red Hat Enterprise Linux AppStream TUS (v.8.6):
Red Hat Enterprise Linux AppStream E4S (v.8.8):
Red Hat Enterprise Linux AppStream TUS (v.8.8):
Red Hat Enterprise Linux AppStream E4S (v.9.0):
Red Hat Enterprise Linux AppStream E4S (v.9.2):
Red Hat Enterprise Linux AppStream EUS (v.9.4):
Red Hat Enterprise Linux AppStream EUS (v.9.6):
Red Hat Enterprise Linux AppStream (v. 9):
Red Hat Enterprise Linux BaseOS EUS (v. 10.0):
Red Hat Enterprise Linux BaseOS (v. 10):
Red Hat Enterprise Linux BaseOS (v. 8):
Red Hat Enterprise Linux BaseOS AUS (v. 8.2):
Red Hat Enterprise Linux BaseOS AUS (v.8.4):
Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4):
Red Hat Enterprise Linux BaseOS AUS (v.8.6):
Red Hat Enterprise Linux BaseOS E4S (v.8.6):
Red Hat Enterprise Linux BaseOS TUS (v.8.6):
Red Hat Enterprise Linux BaseOS E4S (v.8.8):
Red Hat Enterprise Linux BaseOS TUS (v.8.8):
Red Hat Enterprise Linux BaseOS E4S (v.9.0):
Red Hat Enterprise Linux BaseOS E4S (v.9.2):
Red Hat Enterprise Linux BaseOS EUS (v.9.4):
Red Hat Enterprise Linux BaseOS EUS (v.9.6):
Red Hat Enterprise Linux BaseOS (v. 9):
Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0):
Red Hat Enterprise Linux CodeReady Linux Builder (v. 10):
Red Hat Enterprise Linux CRB (v. 8):
Red Hat CodeReady Linux Builder EUS (v.9.4):
Red Hat CodeReady Linux Builder EUS (v.9.6):
Red Hat Enterprise Linux CodeReady Linux Builder (v. 9):
Red Hat AI Inference Server 3.2:
Red Hat AI Inference Server 3.3:
Red Hat Discovery 2:
Red Hat Enterprise Linux AI 3.3:
Red Hat Hardened Images:
Red Hat Update Infrastructure 5:
Red Hat Enterprise Linux 8:
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.
