CVE-2026-4519
Public on 2026-03-20
Modified on 2026-03-24
Description
The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize URLs
prior to passing to webbrowser.open().
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize URLs
prior to passing to webbrowser.open().
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | python | 2026-04-14 | ALAS2-2026-3227 | Fixed |
| Amazon Linux 2 - Core | python3 | 2026-04-14 | ALAS2-2026-3228 | Fixed |
| Amazon Linux 2023 | python3.11 | 2026-04-13 | ALAS2023-2026-1558 | Fixed |
| Amazon Linux 2023 | python3.12 | 2026-04-13 | ALAS2023-2026-1557 | Fixed |
| Amazon Linux 2023 | python3.13 | 2026-04-13 | ALAS2023-2026-1555 | Fixed |
| Amazon Linux 2023 | python3.14 | 2026-04-13 | ALAS2023-2026-1556 | Fixed |
| Amazon Linux 2023 | python3.9 | 2026-04-13 | ALAS2023-2026-1583 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L |