A command-line option injection vulnerability (CVE-2026-4519, CVSS 3.3) exists in Python's `webbrowser.open()` function, allowing crafted URLs to inject unintended arguments. The vulnerability affects Python versions prior to 3.13.13, versions 3.14.0 through 3.14.3, and version 3.15.0. The fix is included in Python versions 3.13.13 and 3.14.4.
Red Hat Product Errata RHSA-2026:9387 - Security Advisory Issued: 2026-04-21 Updated: 2026-04-21 RHSA-2026:9387 - Security Advisory Overview Updated Packages Synopsis Important: python3 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for python3 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server - AUS 8.2 x86_64 Fixes BZ - 2449649 - CVE-2026-4519 python: Python: Command-line option injection in webbrowser.open() via crafted URLs CVEs CVE-2026-4519 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server - AUS 8.2 SRPM python3-3.6.8-24.el8_2.7.src.rpm SHA-256: ce88174a3c298174aa0306ef1e09542b494541cb949bfbdd7837092b385ddecf x86_64 platform-python-3.6.8-24.el8_2.7.i686.rpm SHA-256: 466ce4e3b13161d2bd4962d54036f9d11dc341d137305f7f7661c7571166ff22 platform-python-3.6.8-24.el8_2.7.x86_64.rpm SHA-256: 1b6e3c967994c29c11126d9d48ca092e2ae89f03bbda2a518388af515e2e8724 platform-python-debug-3.6.8-24.el8_2.7.i686.rpm SHA-256: 7ba19194eb44e7f691d37223d65e14c4ee290784808419d3a9b3a53661fa10f2 platform-python-debug-3.6.8-24.el8_2.7.x86_64.rpm SHA-256: e8e3e15750148e8f5cf13f55ba503fdd2201c49a0b5445263b3cf1dbab0df326 platform-python-devel-3.6.8-24.el8_2.7.i686.rpm SHA-256: 2ef52cd2522a14f09d5223c62223b0a6004b4bafc46ffbcba389bc6c37cbb279 platform-python-devel-3.6.8-24.el8_2.7.x86_64.rpm SHA-256: 206f5b82ccaa0d5217b81d998b0e3f529c6a2b8d94020ca9bcf46215e2d1d8bc python3-debuginfo-3.6.8-24.el8_2.7.i686.rpm SHA-256: 80a20796a00580008bd607624ff641b18ab735ae3f06b3d8bf5c14e568b8cf55 python3-debuginfo-3.6.8-24.el8_2.7.i686.rpm SHA-256: 80a20796a00580008bd607624ff641b18ab735ae3f06b3d8bf5c14e568b8cf55 python3-debuginfo-3.6.8-24.el8_2.7.x86_64.rpm SHA-256: d1f71a540ad10da248336788f4420f60b081e2109ebadb7ca90db6262f6aaf93 python3-debuginfo-3.6.8-24.el8_2.7.x86_64.rpm SHA-256: d1f71a540ad10da248336788f4420f60b081e2109ebadb7ca90db6262f6aaf93 python3-debugsource-3.6.8-24.el8_2.7.i686.rpm SHA-256: 4993c30837304efcdac01eb754893d91f3cf8509028bc003a1ee49cc67e19911 python3-debugsource-3.6.8-24.el8_2.7.i686.rpm SHA-256: 4993c30837304efcdac01eb754893d91f3cf8509028bc003a1ee49cc67e19911 python3-debugsource-3.6.8-24.el8_2.7.x86_64.rpm SHA-256: 022fede4030a19da1a59f599ad55269576b42ea2fef059e716b0917c8cac50a5 python3-debugsource-3.6.8-24.el8_2.7.x86_64.rpm SHA-256: 022fede4030a19da1a59f599ad55269576b42ea2fef059e716b0917c8cac50a5 python3-idle-3.6.8-24.el8_2.7.i686.rpm SHA-256: c211e125a8db4ebcf453904604d18da4a020ecd46e7ea4d69131f9ce4c00c13c python3-idle-3.6.8-24.el8_2.7.x86_64.rpm SHA-256: 1cefcb84c4c15d5fe382e551e3b0c0abf3cf38adcf987253b3479fdfc5e0b611 python3-libs-3.6.8-24.el8_2.7.i686.rpm SHA-256: d1be6cc2741328c67e3953c87815f445c862acacc542e61eda1b267318996d2e python3-libs-3.6.8-24.el8_2.7.x86_64.rpm SHA-256: 5c5a05ea4bc50a76048a4455934d5514398fad0e1631e168b2f7f0ce5ffd47a7 python3-test-3.6.8-24.el8_2.7.i686.rpm SHA-256: aece92ed2f947ceffd2d6c99f78ed460fa61109865875bc4e8f2c336290642b9 python3-test-3.6.8-24.el8_2.7.x86_64.rpm SHA-256: 4dac9d688bb28104f3f5e545f93e86718d0bae4a2d85b02602fff4f9ead84a37 python3-tkinter-3.6.8-24.el8_2.7.i686.rpm SHA-256: 6417c57af5bc5c518ac05a654cb4d37d2b5aea0e9c85c5e8dafd0d3434489870 python3-tkinter-3.6.8-24.el8_2.7.x86_64.rpm SHA-256: 35b235580573ede0c9dd1200a20c2304befa7239e30e6c238b05f951d4a48287 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .