119 matches found
Oracle Linux 9 : python3.14 (ELSA-2026-19176)
The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-19176 advisory. - Security fixes for CVE-2026-1502, CVE-2026-4786, CVE-2026-5713, CVE-2026-6100 Resolves: RHEL-167918, RHEL-168160 - Security fixes for CVE-2026-2297,...
python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API
A flaw was found in the Python webbrowser.open API. If a specially crafted URL containing "%action" is processed, an attacker could bypass a previous mitigation for CVE-2026-4519. This bypass allows for command injection into the underlying shell, potentially leading to arbitrary code execution...
python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API
A flaw was found in the Python webbrowser.open API. If a specially crafted URL containing "%action" is processed, an attacker could bypass a previous mitigation for CVE-2026-4519. This bypass allows for command injection into the underlying shell, potentially leading to arbitrary code execution...
python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API
A flaw was found in the Python webbrowser.open API. If a specially crafted URL containing "%action" is processed, an attacker could bypass a previous mitigation for CVE-2026-4519. This bypass allows for command injection into the underlying shell, potentially leading to arbitrary code execution...
RockyLinux 8 : python3 (RLSA-2026:6473)
The remote RockyLinux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:6473 advisory. python: Python: Command-line option injection in webbrowser.open via crafted URLs CVE-2026-4519 Tenable has extracted the preceding description block directly fro...
python3 security update
An update is available for python3. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Python is an interpreted, interactive, object-oriented programming language,...
RLSA-2026:6473 Important: python3 security update
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...
Amazon Linux 2023 : python3.13, python3.13-devel, python3.13-freethreading (ALAS2023-2026-1638)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1638 advisory. Mitgation of CVE-2026-4519 was incomplete. If the URL contained %action the mitigation could be bypassed for certain browser types the webbrowser.open API could have commands injected into the...
python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API
A flaw was found in the Python webbrowser.open API. If a specially crafted URL containing "%action" is processed, an attacker could bypass a previous mitigation for CVE-2026-4519. This bypass allows for command injection into the underlying shell, potentially leading to arbitrary code execution...
python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API
A flaw was found in the Python webbrowser.open API. If a specially crafted URL containing "%action" is processed, an attacker could bypass a previous mitigation for CVE-2026-4519. This bypass allows for command injection into the underlying shell, potentially leading to arbitrary code execution...
Important: python3.11 security update
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...
Important: python3
Issue Overview: Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open" API could have commands injected into the underlying shell. See CVE-2026-4519 for details. CVE-2026-4786 Use-after-free UAF wa...
Amazon Linux 2 : python3, --advisory ALAS2-2026-3281 (ALAS-2026-3281)
The version of python3 installed on the remote host is prior to 3.7.16-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3281 advisory. Mitgation of CVE-2026-4519 was incomplete. If the URL contained %action the mitigation could be bypassed for certain...
python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API
A flaw was found in the Python webbrowser.open API. If a specially crafted URL containing "%action" is processed, an attacker could bypass a previous mitigation for CVE-2026-4519. This bypass allows for command injection into the underlying shell, potentially leading to arbitrary code execution...
CLSA-2026-1777944042 Fix CVE(s): CVE-2025-8194, CVE-2026-4519, CVE-2026-4786
SECURITY UPDATE: tarfile DoS via negative member offsets - debian/patches/CVE-2025-8194.patch: validate that member offsets are non-negative in Lib/tarfile.py. - CVE-2025-8194 SECURITY UPDATE: webbrowser.open accepts URLs with leading dashes - debian/patches/CVE-2026-4519-CVE-2026-4786.patch:...
Oracle Linux 7 : python3 (ELSA-2026-9745)
The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-9745 advisory. 3.6.8-21.0.11 - Security update CVE-2026-4519 Orabug: 39246828 Tenable has extracted the preceding description block directly from the Oracle Linux security...
Amazon Linux 2023 : python3, python3-devel, python3-idle (ALAS2023-2026-1618)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1618 advisory. The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update, |= operator, and unpickling paths were not patched, allowing control...
CLSA-2026-1777454964 python: Fix of 2 CVEs
CVE-2026-4519: reject webbrowser.open URLs with a leading dash to prevent CLI option injection into the spawned browser process - CVE-2026-4786: validate URLs after %action substitution and swap the substitution order in UnixBrowser.open to close a bypass of the CVE-2026-4519 dash-prefix check...
Fedora 44 : python3.9 (2026-f7b3ebe324)
The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-f7b3ebe324 advisory. Security fix for CVE-2026-4519. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...
python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API
A flaw was found in the Python webbrowser.open API. If a specially crafted URL containing "%action" is processed, an attacker could bypass a previous mitigation for CVE-2026-4519. This bypass allows for command injection into the underlying shell, potentially leading to arbitrary code execution...