Lucene search
K

9 matches found

OSV
OSV
added 2026/05/07 9:15 a.m.11 views

CLSA-2026-1778145319 python2: Fix of 3 CVEs

CVE-2025-8194: validate that tarfile member offsets are non-negative to prevent infinite loop / DoS during parsing of malicious tar archives - CVE-2026-4519: reject URLs with leading dashes in webbrowser.open to prevent injection of command-line options into spawned browser process -...

7.5CVSS5.8AI score0.00611EPSS
Exploits0References1
OSV
OSV
added 2026/05/07 8:29 a.m.6 views

CLSA-2026-1778142589 python3: Fix of 2 CVEs

CVE-2026-4519: reject leading dashes in webbrowser URLs to block command-line option injection via webbrowser.open - CVE-2026-4786: validate the post-substitution URL in webbrowser UnixBrowser.open so that "%action" cannot smuggle a dash-prefixed flag past the CVE-2026-4519 dash-prefix check...

7.1CVSS7.1AI score0.00308EPSS
Exploits0References1
OSV
OSV
added 2026/05/05 11:32 p.m.6 views

CLSA-2026-1778015238 python: Fix of CVE-2026-4519

CVE-2026-4519: reject leading dashes in webbrowser URLs that could be treated as command-line options by external browsers; also close a %action-substitution bypass of the check in UnixBrowser.open...

7.1CVSS5.8AI score0.00308EPSS
Exploits0References1
OSV
OSV
added 2026/05/04 10:38 a.m.6 views

CLSA-2026-1777891107 python3.11: Fix of CVE-2026-4786

CVE-2026-4786: fix webbrowser %action substitution bypass of the dash-prefix safety check by validating the post-substitution URL and expanding %action before %s in UnixBrowser argument assembly...

7.1CVSS5.8AI score0.0029EPSS
Exploits0References1
OSV
OSV
added 2026/05/02 12:58 a.m.8 views

CLSA-2026-1777457441 python: Fix of 2 CVEs

CVE-2026-4519: reject webbrowser.open URLs with a leading dash to prevent CLI option injection into the spawned browser process - CVE-2026-4786: validate URLs after %action substitution and swap the substitution order in UnixBrowser.open to close a bypass of the CVE-2026-4519 dash-prefix check...

7.1CVSS7.1AI score0.00308EPSS
Exploits0References1
CloudLinux
CloudLinux
added 2026/05/02 12:58 a.m.15 views

python: Fix of 2 CVEs

CVE-2026-4519: reject webbrowser.open URLs with a leading dash to prevent CLI option injection into the spawned browser process - CVE-2026-4786: validate URLs after %action substitution and swap the substitution order in UnixBrowser.open to close a bypass of the CVE-2026-4519 dash-prefix check...

7.1CVSS6.4AI score0.00308EPSS
Exploits0
OSV
OSV
added 2026/05/01 9:6 a.m.15 views

CLSA-2026-1777626401 python3: Fix of 3 CVEs

CVE-2026-6100: clear dangling nextin pointer on MemoryError in bz2/lzma decompressors to avoid use-after-free on instance reuse - CVE-2026-4786: validate the post-substitution URL in webbrowser UnixBrowser.open so that "%action" cannot smuggle a dash-prefixed flag past the CVE-2026-4519...

9.1CVSS6AI score0.00579EPSS
Exploits0References1
OSV
OSV
added 2026/04/30 11:30 a.m.4 views

CLSA-2026-1777548617 Fix CVE(s): CVE-2026-4519, CVE-2026-4786

SECURITY UPDATE: webbrowser.open accepts URLs with leading dashes - debian/patches/CVE-2026-4519-CVE-2026-4786.patch: reject URLs whose lstrip starts with '-' in Lib/webbrowser.py; also fix bypass via %action substitution in UnixBrowser.open. - CVE-2026-4519 - CVE-2026-4786...

7.1CVSS7.1AI score0.00308EPSS
Exploits0References1
OSV
OSV
added 2026/04/30 11:27 a.m.7 views

CLSA-2026-1777548458 Fix CVE(s): CVE-2026-4519, CVE-2026-4786

SECURITY UPDATE: webbrowser.open accepts URLs with leading dashes - debian/patches/CVE-2026-4519-CVE-2026-4786.patch: reject URLs whose lstrip starts with '-' in Lib/webbrowser.py; also fix bypass via %action substitution in UnixBrowser.open. - CVE-2026-4519 - CVE-2026-4786...

7.1CVSS7.1AI score0.00308EPSS
Exploits0References1
Rows per page
Query Builder