Primary

Context

Python Webbrowser Command Injection Vulnerability via Bypassing Mitigation

Vulnerability

Patched

A vulnerability has been identified in the Python 'webbrowser' module, specifically in versions 3.10 through 3.14. This issue arises from an incomplete mitigation of a previous vulnerability (CVE-2026-4519), which allowed for command injection into the underlying shell. The bypass occurs when a URL contains '%action', exploiting certain browser types that use the 'webbrowser.open()' API.

Impact

Exploitation of this vulnerability could lead to unauthorized command execution in the underlying shell, allowing for potential system compromise.

Remediation

Users can upgrade to Python versions 3.10.12, 3.11.16, 3.12.6, 3.13.0, or 3.14.0 to address this vulnerability.

Added: Apr 13, 2026, 10:54 PM

Updated: Apr 13, 2026, 10:54 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

10.0

exploitability

5.0

remediation

7.7

relevance

5.9

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

10.0

exploitability

5.0

remediation

7.7

relevance

5.9

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Python Webbrowser Command Injection Vulnerability via Bypassing Mitigation

Vulnerability

Impact

Remediation

Affected Products

Python

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating