CVE-2026-4519
LowCVSS 3.3Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
The webbrowser.open() API in Python accepted URLs with leading dashes, which could be interpreted as command-line options by certain web browsers. The new behavior rejects such URLs.
Risk Assessment
An attacker could craft a URL with leading dashes, potentially causing the browser to execute unintended options, leading to code execution or data leakage.
Recommendation
Update Python to a version that includes the fix rejecting leading dashes. Additionally, always sanitize URLs before passing them to webbrowser.open().
Original NVD description (English source)
The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

