git: 97f22e47abbc - main - security/vuxml: Add entry for Python CVE-2026-4786

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Daniel Engberg <diizzy_at_FreeBSD.org>
Date: Thu, 16 Apr 2026 21:38:38 UTC
The branch main has been updated by diizzy:

URL: https://cgit.FreeBSD.org/ports/commit/?id=97f22e47abbca9561ddab83242f205ef2046fc24

commit 97f22e47abbca9561ddab83242f205ef2046fc24
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2026-04-13 22:52:20 +0000
Commit:     Daniel Engberg <diizzy@FreeBSD.org>
CommitDate: 2026-04-16 21:38:32 +0000

    security/vuxml: Add entry for Python CVE-2026-4786
    
    Incomplete mitigation of CVE-2026-4519,
    %action expansion for command injection to webbrowser.open()
    
    Obtained from:  GitHub repo
    Security:       CVE-2026-4786
                    cf75f572-378a-11f1-a119-e36228bfe7d4
---
 security/vuxml/vuln/2026.xml | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml
index 81f347cc62c5..9fe569801f9b 100644
--- a/security/vuxml/vuln/2026.xml
+++ b/security/vuxml/vuln/2026.xml
@@ -220,6 +220,41 @@
     </dates>
   </vuln>
 
+  <vuln vid="cf75f572-378a-11f1-a119-e36228bfe7d4">
+    <topic>python -- more webbrowser.open() command injection vulnerabilities</topic>
+    <affects>
+      <package><name>python310</name><range><ge>0</ge></range></package>
+      <package><name>python311</name><range><ge>0</ge></range></package>
+      <package><name>python312</name><range><ge>0</ge></range></package>
+      <package><name>python313</name><range><ge>0</ge></range></package>
+      <package><name>python314</name><range><lt>3.14.4_2</lt></range></package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Seth Larson reports:</p>
+	<blockquote cite="https://mail.python.org/archives/list/security-announce@python.org/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/">
+	  <p>[CVE-2026-4786] Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()</p>
+	  <p>There is a HIGH severity vulnerability affecting CPython.</p>
+	  <p>Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action"
+	   the mitigation could be bypassed for certain browser types the
+	   "webbrowser.open()" API could have commands injected into the underlying
+	    shell. See CVE-2026-4519 for details.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2026-4786</cvename>
+      <url>https://mail.python.org/archives/list/security-announce@python.org/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/</url>
+      <url>https://www.cve.org/CVERecord?id=CVE-2026-4786</url>
+      <url>https://github.com/python/cpython/issues/148169</url>
+      <url>https://github.com/python/cpython/pull/148170</url>
+    </references>
+    <dates>
+      <discovery>2026-04-06</discovery>
+      <entry>2026-04-13</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="b8e9f33c-375d-11f1-a119-e36228bfe7d4">
     <topic>Python -- use-after-free vulnerability in decompressors under memory pressure</topic>
     <affects>