Injection Vulnerability in Python's Webbrowser API
CVE-2026-4786

7HIGH

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
13 April 2026

What is CVE-2026-4786?

The vulnerability arises from an incomplete mitigation of a previous security issue, allowing for potential command injection when the URL contains '%action'. This flaw affects certain browser types when using the 'webbrowser.open()' API, enabling attackers to inject commands into the underlying shell, thus posing significant risks to users and systems relying on this functionality.

Affected Version(s)

CPython 0 < 3.15.0

References

https://github.com/python/cpython/pull/148170
patch
https://github.com/python/cpython/issues/148169
issue-tracking
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

an7y
Seth Larson
Stan Ulbrych
.