CVE Catalog

CVE-2026-4519

LowCVSS 3.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

22th percentile — higher than 22% of all known CVEs

Summary

The webbrowser.open() API in Python accepted URLs with leading dashes, which could be interpreted as command-line options by certain web browsers. The new behavior rejects such URLs.

Risk Assessment

An attacker could craft a URL with leading dashes, potentially causing the browser to execute unintended options, leading to code execution or data leakage.

Recommendation

Update Python to a version that includes the fix rejecting leading dashes. Additionally, always sanitize URLs before passing them to webbrowser.open().

Original NVD description (English source)

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

Vulnerability data from NVD (NIST) · CISA KEV · EPSS