CVE-2026-4519
webbrowser.open() allows leading dashes in URLs
3.3
LOW
CVSS 3.1
EPSS 0.01%
Description
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().
How to fix CVE-2026-4519
To remediate CVE-2026-4519, upgrade the affected package to a fixed version below.
- —upgrade to 3.15.0 or later
- —upgrade to 3.15.0 or later
- —no fix listed
- —no fix listed
- —no fix listed
- —no fix listed
- —upgrade to 3.13.5-2+deb13u2 or later
- —upgrade to 3.14.4-1 or later
- —upgrade to 3.9.2-1+deb11u7 or later
Is CVE-2026-4519 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (9)
- from 0, < 3.15.0
- from 0, < 3.15.0
- from 0
- from 0
- from 0
- from 0
- from 0, < 3.13.5-2+deb13u2
- from 0, < 3.14.4-1
- from 0, < 3.9.2-1+deb11u7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| osv | CVSS 3.1 | LOW3.3 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |