CVE-2026-4519: webbrowser.open() allows leading dashes in URLs
The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize URLs
prior to passing to webbrowser.open().
Security readout for executives and security teams
Plain-English summary
CVE-2026-4519 affects Python's webbrowser.open() handling of URLs that start with dashes. In some browser integrations, that input could be interpreted as command-line options, creating a path to serious compromise when attacker-controlled input is opened.
Executive priority
Prioritize remediation for applications that open user-supplied links through Python automation or desktop workflows. This is high severity but not currently shown as actively exploited in the provided sources.
Technical view
The issue is improper input validation and argument injection in CPython's webbrowser.open(). The fixed behavior rejects leading-dash URLs. The CVSS 3.1 score is 7.1, with network attack vector, high complexity, no privileges, required user interaction, and high confidentiality and integrity impact.
Likely exposure
Exposure is most likely in Python applications or scripts that pass user-controlled or external URLs into webbrowser.open(). The source record names CPython and affected version entries 0, 3.14.0, and 3.15.0a1, with other versions not established here.
Exploitation context
The source bundle does not show CISA KEV listing or active exploitation. Successful abuse appears conditional: an attacker must influence the URL, the application must call webbrowser.open(), and the selected browser path must treat leading dashes as options.
Researcher notes
Key research focus is the boundary between Python URL validation and browser command-line parsing. Evidence supports argument injection risk, but affected browser-specific behaviors, exact fixed release mapping, and real-world exploitation are not fully detailed in the bundle.
Mitigation direction
Apply CPython or operating-system vendor security updates when available.
Reject or sanitize URLs beginning with dashes before calling webbrowser.open().
Audit application paths that open external or user-supplied URLs.
Follow Python Software Foundation and distro advisories for fixed release guidance.
Validation and detection
Inventory CPython versions used in servers, desktops, build agents, and packaged tools.
Review code for webbrowser.open() calls receiving external input.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-20: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
5Timeline events
3ADP providers
56Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-20 · source CWE mapping
Improper Input Validation
Improper Input Validation represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.