CVE-2026-4519

webbrowser.open() allows leading dashes in URLs

Severity Score

7.0

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

*Credits: Seth Larson, Gregory P. Smith, an7y

CVSS Scores

Python SFv4 7.0

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

None

User Interaction

Active

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2026-03-20 CVE Reserved
2026-03-20 CVE Published
2026-04-13 CVE Updated
2026-05-13 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (16)

URL	Tag	Source
https://github.com/python/cpython/issues/143930	Issue Tracking
http://www.openwall.com/lists/oss-security/2026/03/20/1

URL	Date	SRC

URL	Date	SRC
https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866	2026-03-24
https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b	2026-03-24
https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76	2026-03-24
https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5	2026-03-24
https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03	2026-03-24
https://github.com/python/cpython/pull/143931	2026-03-24
https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48	2026-04-13
https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd	2026-04-13
https://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73e	2026-04-13
https://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1	2026-04-13
https://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4	2026-04-13
https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c	2026-04-13
https://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932	2026-04-13

URL	Date	SRC
https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS	2026-03-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				< 3.13.13 Search vendor "Python Software Foundation" for product "CPython" and version " < 3.13.13"		en		Affected
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				>= 3.14.0 < 3.14.4 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.14.0 < 3.14.4"		en		Affected