{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4786", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2026-03-24T19:25:48.269Z", "datePublished": "2026-04-13T21:52:19.036Z", "dateUpdated": "2026-04-29T15:30:58.707Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"lessThan": "3.15.0", "status": "affected", "version": "0", "versionType": "python"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "an7y"}, {"lang": "en", "type": "coordinator", "value": "Seth Larson"}, {"lang": "en", "type": "remediation developer", "value": "Stan Ulbrych"}], "descriptions": [{"lang": "en", "supportingMedia": [{"type": "text/html", "value": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details."}], "value": "Mitgation of\u00a0CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See\u00a0CVE-2026-4519 for details."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-04-29T15:30:58.707Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/python/cpython/pull/148170"}, {"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/148169"}, {"tags": ["vendor-advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/c5767a72838a8dda9d6dc5d3558075b055c56bca"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/d22922c8a7958353689dc4763dd72da2dea03fff"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/28b4ad38067bbdad34edfcd03ad2de5f06387e53"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/d6d68494be70bdbda20f89f83801ba52ec37daa4"}], "source": {"discovery": "UNKNOWN"}, "title": "Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()", "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T13:43:47.712946Z", "id": "CVE-2026-4786", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:43:54.704Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4786", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T13:43:47.712946Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:43:51.497Z"}}], "cna": {"title": "Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "an7y"}, {"lang": "en", "type": "coordinator", "value": "Seth Larson"}, {"lang": "en", "type": "remediation developer", "value": "Stan Ulbrych"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "product": "CPython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.15.0", "versionType": "python"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/python/cpython/pull/148170", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/issues/148169", "tags": ["issue-tracking"]}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/python/cpython/commit/c5767a72838a8dda9d6dc5d3558075b055c56bca", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/d22922c8a7958353689dc4763dd72da2dea03fff", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/28b4ad38067bbdad34edfcd03ad2de5f06387e53", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/d6d68494be70bdbda20f89f83801ba52ec37daa4", "tags": ["patch"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "Mitgation of\u00a0CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See\u00a0CVE-2026-4519 for details.", "supportingMedia": [{"type": "text/html", "value": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details."}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2026-04-29T15:30:58.707Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4786", "state": "PUBLISHED", "dateUpdated": "2026-04-29T15:30:58.707Z", "dateReserved": "2026-03-24T19:25:48.269Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2026-04-13T21:52:19.036Z", "assignerShortName": "PSF"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mitgation of\u00a0CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See\u00a0CVE-2026-4519 for details."}], "id": "CVE-2026-4786", "lastModified": "2026-04-29T16:16:26.123", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@python.org", "type": "Secondary"}]}, "published": "2026-04-13T22:16:30.413", "references": [{"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/28b4ad38067bbdad34edfcd03ad2de5f06387e53"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/c5767a72838a8dda9d6dc5d3558075b055c56bca"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/d22922c8a7958353689dc4763dd72da2dea03fff"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/d6d68494be70bdbda20f89f83801ba52ec37daa4"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/issues/148169"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/pull/148170"}, {"source": "cna@python.org", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "cna@python.org", "type": "Secondary"}]}

{"bugzilla": {"description": "python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API", "id": "2458049", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458049"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-88", "details": ["A flaw was found in the Python webbrowser.open() API. If a specially crafted URL containing \"%action\" is processed, an attacker could bypass a previous mitigation for CVE-2026-4519. This bypass allows for command injection into the underlying shell, potentially leading to arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-4786", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python38", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python3.14", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "python3.9", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-aws-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-azure-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-azure-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-gcp-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}], "public_date": "2026-04-13T21:52:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4786\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4786\nhttps://github.com/python/cpython/issues/148169\nhttps://github.com/python/cpython/pull/148170\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/"], "statement": "This flaw in the Python `webbrowser.open()` API allows for command injection and arbitrary code execution when processing specially crafted URLs containing \"%action\". This bypasses a previous mitigation for CVE-2026-4519.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.15.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "CPython", "source": "cna", "vendor": "Python Software Foundation"}, "product": "cpython", "vendor": "python"}], "analysis": {"en": {"generated_at": "2026-04-15T01:54:22.137967+00:00", "value": {"mitigation_remediation": ["Update CPython to a version that includes the fix from pull request 148170 (or apply the patch).", "If an immediate upgrade is not possible, ensure that webbrowser.open() is not called with untrusted URLs, or remove usage of the function in applications until the patch is applied.", "Regularly monitor the Python release channel and security mailing lists for additional advisories."], "summary": {"action": "Immediate Patch", "impact": "Command Injection leading to arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The affected product is the CPython interpreter, maintained by the Python Software Foundation. No specific version range is listed in the CNA data, so any CPython installation that includes the vulnerable webbrowser.open implementation may be affected until the patch is applied. Review releases following the GitHub pull request to identify impacted releases.", "description_and_impact": "The vulnerability arises from incomplete mitigation of a prior issue (CVE-2026-4519). When a URL containing the string '%action' is passed to Python's webbrowser.open() function, the %action sequence is expanded by certain browsers, allowing an attacker to inject commands into the underlying system shell. This bypasses the existing safeguard and can execute arbitrary shell commands. The weaknesses include a classic command injection problem (CWE\u201177) and an additional vulnerability reflected by CWE\u201188.", "risk_and_exploitability": "The CVSS base score is 7, indicating a high severity. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalogue, suggesting no known widespread exploitation yet. The likely attack requires a crafted URL string to be processed by an application that calls webbrowser.open. An attacker would need the ability to influence that input, which could be within a local environment or within a web application that passes user\u2011provided URLs. Thus the risk is moderate to high, depending on deployment context. Prompt patching mitigates the risk."}}}}, "created": "2026-04-14T16:17:03.203706+00:00", "updated": "2026-04-15T15:45:07.530244+00:00", "vendors": ["python", "python$PRODUCT$cpython"]}