HIGHCVE-2026-4519Published 2026-03-20Modified 2026-04-13CNA PSF

CVE-2026-4519: webbrowser.open() allows leading dashes in URLs

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

CVSS v4.0: 7.0
Severity: HIGH
Fixed in: 3.13.13
Affected Products: 1

Fix available

3.13.133.14.43.15.0a8

Patch commits

github.com
github.com
github.com
github.com
github.com
github.com
github.com
github.com
github.com
github.com
github.com
github.com
github.com

Affected packages

Python Software Foundation / CPython
< 3.13.13 (from 0) · < 3.14.4 (from 3.14.0) · < 3.15.0a8 (from 3.15.0a1)

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

github.com
github.com
mail.python.org
github.com
github.com
github.com
github.com
github.com
github.com
github.com
github.com
github.com
github.com
github.com
github.com

Metrics

Fix available