CVE-2026-4786

A flaw was found in the Python webbrowser.open API. If a specially crafted URL containing "%action" is processed, an attacker could bypass a previous mitigation for CVE-2026-4519. This bypass allows for command injection into the underlying shell, potentially leading to arbitrary code execution...

CLSA-2026-1776169648 python3.9: Fix of CVE-2026-4519

CVE-2026-4519: reject leading dashes in webbrowser URLs - Update pubkeys.txt with refreshed Łukasz Langa GPG key expired 2025-05-12...

EUVD-2026-22134

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open" API could have commands injected into the underlying shell. See CVE-2026-4519 for details...

Amazon Linux 2 : python3, --advisory ALAS2-2026-3228 (ALAS-2026-3228)

The version of python3 installed on the remote host is prior to 3.7.16-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3228 advisory. The tarfile module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-bloc...

Important: python3

Issue Overview: The "tarfile" module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPELONGNAME or GNUTYPELONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other...

Important: python

Issue Overview: The "tarfile" module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPELONGNAME or GNUTYPELONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other...

DEBIAN-CVE-2026-4786

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open" API could have commands injected into the underlying shell. See CVE-2026-4519 for details...

CVE-2026-4786

CVE-2026-4786 notes incomplete mitigation of CVE-2026-4519. The issue arises when a URL contains "%action" allowing bypass of mitigation for certain browser types in Python's webbrowser.open(), enabling potential commands injected into the underlying shell. Connected CVE-4519 details indicate the...

CVE-2026-4786 Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open" API could have commands injected into the underlying shell. See CVE-2026-4519 for details...

CVE-2026-4786

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open" API could have commands injected into the underlying shell. See CVE-2026-4519 for details...

SUSE-SU-2026:21178-1 Security update for python313

This update for python313 fixes the following issues: Update to version 3.13.13. - CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to misinterpretation of tar archives bsc1259611. - CVE-2026-2297: incorrectly handled hook in FileLoader can...

OPENSUSE-SU-2026:20517-1 Security update for python313

This update for python313 fixes the following issues: Update to version 3.13.13. - CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to misinterpretation of tar archives bsc1259611. - CVE-2026-2297: incorrectly handled hook in FileLoader can...

MiracleLinux 9 : python3.9-3.9.25-3.el9_7.2 (AXSA:2026-419:03)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2026-419:03 advisory. python: Python: Command-line option injection in webbrowser.open via crafted URLs CVE-2026-4519 Tenable has extracted the preceding description block directly...

Amazon Linux 2023 : python3.11, python3.11-devel, python3.11-idle (ALAS2023-2026-1558)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1558 advisory. The webbrowser.open API would accept leading dashes in the URL whichcould be handled as command line options for certain web browsers. Newbehavior rejects leading dashes. Users are recommended to...

Amazon Linux 2023 : python3.13, python3.13-devel, python3.13-freethreading (ALAS2023-2026-1555)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1555 advisory. The webbrowser.open API would accept leading dashes in the URL whichcould be handled as command line options for certain web browsers. Newbehavior rejects leading dashes. Users are recommended to...

Amazon Linux 2023 : python3.12, python3.12-devel, python3.12-idle (ALAS2023-2026-1557)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1557 advisory. The webbrowser.open API would accept leading dashes in the URL whichcould be handled as command line options for certain web browsers. Newbehavior rejects leading dashes. Users are recommended to...

PT-2026-32545

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description An incomplete mitigation allows for a bypass when a URL contains the string "%action". For certain browser types, this can lead to command injection into the...

Important: python3.13

Issue Overview: The webbrowser.open API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open. CVE-2026-4519 Affected Packages:...

Important: python3.14

Issue Overview: The webbrowser.open API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open. CVE-2026-4519 Affected Packages:...

AlmaLinux 9 : python3.9 (ALSA-2026:6766)

The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2026:6766 advisory. python: Python: Command-line option injection in webbrowser.open via crafted URLs CVE-2026-4519 Tenable has extracted the preceding description block directly from...