CVE-2026-4786

Published: Apr 13, 2026

Modified: Apr 29, 2026

PUBLISHED

Description

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

Vendor	Product	Versions
Python Software Foundation	CPython	affected `0 - < 3.15.0`

Weaknesses (CWE)

CWE-77

References

https://github.com/python/cpython/pull/148170

patch

https://github.com/python/cpython/issues/148169

issue-tracking

https://mail.python.org/archives/list/[email protected]/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/

vendor-advisory

https://github.com/python/cpython/commit/c5767a72838a8dda9d6dc5d3558075b055c56bca

patch

https://github.com/python/cpython/commit/d22922c8a7958353689dc4763dd72da2dea03fff

patch

https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769

patch

https://github.com/python/cpython/commit/28b4ad38067bbdad34edfcd03ad2de5f06387e53

patch

https://github.com/python/cpython/commit/d6d68494be70bdbda20f89f83801ba52ec37daa4

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-4786

Description

Affected Products

Weaknesses (CWE)

References