—

CVE-2026-4786EXPLOITEDPATCHED

python software foundation · python

Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()

Description

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

Affected Products

Vendor	Product	Versions
python software foundation	python	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
fedora	fedora linux	cert_advisory	90%
open source	python	cert_advisory	90%

References

Related News (5 articles)

Tier A

Microsoft MSRC1d ago

CVE-2026-4786 Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()

→ No new info (linked only)

Tier B

BSI Advisories5d ago

[NEU] [mittel] CPython: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB6d ago

CVE-2026-4786 | Python CPython up to 3.14.x webbrowser.open command injection (ID 148169)

→ No new info (linked only)

Tier B

CERT-FR6d ago

Multiples vulnérabilités dans Python (14 avril 2026)

→ No new info (linked only)

Tier C

oss-security6d ago

[oss-security][CVE-2026-4786] CPython: Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

3.15.0

CWECWE-77

PublishedApr 13, 2026

Last enriched6d agov3

Trending Score58

Source articles5

Independent5

Info Completeness9/14

Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-5713EXP

Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target

Trending: 31

NONECVE-2026-1502

HTTP client proxy tunnel headers not validated for CR/LF

Trending: 23

NONECVE-2026-3446EXP

Base64 decoding stops at first padded quad by default

Trending: 21

NONECVE-2026-3644

Incomplete control character validation in http.cookies

Trending: 17

HIGHCVE-2026-34591EXP

Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write

Trending: 10

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 13, 2026

Discovered by ZDM

Apr 13, 2026

Updated: severity, exploitAvailable, activelyExploited

Apr 13, 2026

Updated: description, affectedVersions, severity

Apr 14, 2026

Actively Exploited

Apr 14, 2026

Exploit Available

Apr 14, 2026

Patch Available

Apr 14, 2026

Version History

Last enriched 6d ago

v3Tier C6d ago

Updated description with new details, changed severity to CRITICAL, added affected version 3.14.x, and noted no exploit is available.

descriptionaffectedVersionsseverity

via VulDB

v2Tier C6d ago

Updated severity to HIGH, marked exploit as available, and noted that it is actively exploited.

severityexploitAvailableactivelyExploited

via oss-security

v16d ago

Initial creation