[Bug 294496] lang/python*: CVE-2026-4786: webbrowser.open() command injection mitigation for CVE-2026-4519 was incomplete

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 13 Apr 2026 22:46:49 UTC 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294496

            Bug ID: 294496
           Summary: lang/python*: CVE-2026-4786: webbrowser.open() command
                    injection mitigation for CVE-2026-4519 was incomplete
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://github.com/python/cpython/pull/148170
                OS: Any
            Status: New
          Keywords: security
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-secteam@FreeBSD.org
          Reporter: mandree@FreeBSD.org
                CC: diizzy@FreeBSD.org, python@FreeBSD.org
        Depends on: 294246, 294486
             Flags: merge-quarterly?

https://github.com/python/cpython/pull/148170 "incomplete mitigation of
CVE-2026-4519, %action expansion for command injection to webbrowser.open()" ->
https://www.cve.org/CVERecord?id=CVE-2026-4786 as reported by Seth Larson.


Referenced Bugs:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246
[Bug 294246] lang/python3: Missing security update
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294486
[Bug 294486] lang/python314: needs fix for CVE-2026-6100 use-after-free in
decompressors when reusing instances after MemoryError
-- 
You are receiving this mail because:
You are on the CC list for the bug.