A command-line option injection vulnerability (CVE-2026-4519, CVSS 3.3) in Python's `webbrowser.open()` function can be exploited via crafted URLs. The vulnerability affects Python versions prior to 3.13.13, versions 3.14.0 through 3.14.3, and version 3.15.0. The fix requires upgrading to Python version 3.13.13 or 3.14.4.
Red Hat Product Errata RHSA-2026:9621 - Security Advisory Issued: 2026-04-22 Updated: 2026-04-22 RHSA-2026:9621 - Security Advisory Overview Updated Packages Synopsis Important: python3 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for python3 is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 x86_64 Red Hat Enterprise Linux Server - AUS 8.4 x86_64 Fixes BZ - 2449649 - CVE-2026-4519 python: Python: Command-line option injection in webbrowser.open() via crafted URLs CVEs CVE-2026-4519 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 SRPM python3-3.6.8-39.el8_4.10.src.rpm SHA-256: d6882d9eb163a65a4805727d92627274605164f0e1d6a1c46f7a42ea337e42a3 x86_64 platform-python-3.6.8-39.el8_4.10.i686.rpm SHA-256: b5de1dbba4a092a48b5b9d37b3836824e005e1107572e3f76859e5c59e505ad8 platform-python-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: f39ef7e60c6bb6e3f60f7269c3dddeef7bc8fa2af41faca5a8d3d63865980b8a platform-python-debug-3.6.8-39.el8_4.10.i686.rpm SHA-256: 18e8d5c67457dbfc60eb8fef0217b312b81e9ea2c808f55b24ae570e5305ddf6 platform-python-debug-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: 0458e6e2afd8ca5fda1c41670379ab2f9d42fbd0d213fa0d1036bb4a3f4e31fd platform-python-devel-3.6.8-39.el8_4.10.i686.rpm SHA-256: e13097c86e32ef61363c932e6c0341f148c896eb6425c7c9e8755aa241b9afe6 platform-python-devel-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: 103a73d2e974eb7b4f2b415a3e1feb0f244847f7adbf2b61bc7300407adf1f8c python3-debuginfo-3.6.8-39.el8_4.10.i686.rpm SHA-256: e7b084188fc4f67cc88fafb38621bacbe6f568c15ac7438a475725ade8299202 python3-debuginfo-3.6.8-39.el8_4.10.i686.rpm SHA-256: e7b084188fc4f67cc88fafb38621bacbe6f568c15ac7438a475725ade8299202 python3-debuginfo-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: e51b1291e4b3e45a0af90df109ecff46055cdef8b7be5404fd7e04b60d570670 python3-debuginfo-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: e51b1291e4b3e45a0af90df109ecff46055cdef8b7be5404fd7e04b60d570670 python3-debugsource-3.6.8-39.el8_4.10.i686.rpm SHA-256: 2834ff1bbcf6af2b4a2f071a4fba1bcf2050ac3916ef3ad0724b14bf0f6c3f23 python3-debugsource-3.6.8-39.el8_4.10.i686.rpm SHA-256: 2834ff1bbcf6af2b4a2f071a4fba1bcf2050ac3916ef3ad0724b14bf0f6c3f23 python3-debugsource-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: e5a80a97b6e493427bb34abca21c150971d82aba1e070b990e335f8d349f9bde python3-debugsource-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: e5a80a97b6e493427bb34abca21c150971d82aba1e070b990e335f8d349f9bde python3-idle-3.6.8-39.el8_4.10.i686.rpm SHA-256: a974715d2b7685ddfef11f0e6d1d923e1c30fd594f664a5b2805b1037134fd7a python3-idle-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: e0a275e7e548ac8d5ad137bb4fc20dd19acacc5fbc7ec06dc9eb12c3ce2d83ad python3-libs-3.6.8-39.el8_4.10.i686.rpm SHA-256: 0a9ac7eea887603fa27f8bab6598bc2674a6cd036df445873d330fd89dc8d173 python3-libs-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: f9ea80139dc88dc5ad684da8d6860f93e4c9a2694de8e3094c50be14503d5f48 python3-test-3.6.8-39.el8_4.10.i686.rpm SHA-256: 9bec0e2986146f2878f7af545535229beed290e2633a53f861cc595ae6e7a8fd python3-test-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: 89fe19bb4cd5e980ac2b76306e1092e49233612ab864d2f97890eeb3fcfaafd8 python3-tkinter-3.6.8-39.el8_4.10.i686.rpm SHA-256: 1d0d868b6aa5696a75a95eb4d676b81f1c3ed557e2cfde3372b3633942649c57 python3-tkinter-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: 6cb64fd64530623bfda2a0a89449fa2e6ab37768373fee64987311846d6a00cb Red Hat Enterprise Linux Server - AUS 8.4 SRPM python3-3.6.8-39.el8_4.10.src.rpm SHA-256: d6882d9eb163a65a4805727d92627274605164f0e1d6a1c46f7a42ea337e42a3 x86_64 platform-python-3.6.8-39.el8_4.10.i686.rpm SHA-256: b5de1dbba4a092a48b5b9d37b3836824e005e1107572e3f76859e5c59e505ad8 platform-python-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: f39ef7e60c6bb6e3f60f7269c3dddeef7bc8fa2af41faca5a8d3d63865980b8a platform-python-debug-3.6.8-39.el8_4.10.i686.rpm SHA-256: 18e8d5c67457dbfc60eb8fef0217b312b81e9ea2c808f55b24ae570e5305ddf6 platform-python-debug-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: 0458e6e2afd8ca5fda1c41670379ab2f9d42fbd0d213fa0d1036bb4a3f4e31fd platform-python-devel-3.6.8-39.el8_4.10.i686.rpm SHA-256: e13097c86e32ef61363c932e6c0341f148c896eb6425c7c9e8755aa241b9afe6 platform-python-devel-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: 103a73d2e974eb7b4f2b415a3e1feb0f244847f7adbf2b61bc7300407adf1f8c python3-debuginfo-3.6.8-39.el8_4.10.i686.rpm SHA-256: e7b084188fc4f67cc88fafb38621bacbe6f568c15ac7438a475725ade8299202 python3-debuginfo-3.6.8-39.el8_4.10.i686.rpm SHA-256: e7b084188fc4f67cc88fafb38621bacbe6f568c15ac7438a475725ade8299202 python3-debuginfo-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: e51b1291e4b3e45a0af90df109ecff46055cdef8b7be5404fd7e04b60d570670 python3-debuginfo-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: e51b1291e4b3e45a0af90df109ecff46055cdef8b7be5404fd7e04b60d570670 python3-debugsource-3.6.8-39.el8_4.10.i686.rpm SHA-256: 2834ff1bbcf6af2b4a2f071a4fba1bcf2050ac3916ef3ad0724b14bf0f6c3f23 python3-debugsource-3.6.8-39.el8_4.10.i686.rpm SHA-256: 2834ff1bbcf6af2b4a2f071a4fba1bcf2050ac3916ef3ad0724b14bf0f6c3f23 python3-debugsource-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: e5a80a97b6e493427bb34abca21c150971d82aba1e070b990e335f8d349f9bde python3-debugsource-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: e5a80a97b6e493427bb34abca21c150971d82aba1e070b990e335f8d349f9bde python3-idle-3.6.8-39.el8_4.10.i686.rpm SHA-256: a974715d2b7685ddfef11f0e6d1d923e1c30fd594f664a5b2805b1037134fd7a python3-idle-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: e0a275e7e548ac8d5ad137bb4fc20dd19acacc5fbc7ec06dc9eb12c3ce2d83ad python3-libs-3.6.8-39.el8_4.10.i686.rpm SHA-256: 0a9ac7eea887603fa27f8bab6598bc2674a6cd036df445873d330fd89dc8d173 python3-libs-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: f9ea80139dc88dc5ad684da8d6860f93e4c9a2694de8e3094c50be14503d5f48 python3-test-3.6.8-39.el8_4.10.i686.rpm SHA-256: 9bec0e2986146f2878f7af545535229beed290e2633a53f861cc595ae6e7a8fd python3-test-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: 89fe19bb4cd5e980ac2b76306e1092e49233612ab864d2f97890eeb3fcfaafd8 python3-tkinter-3.6.8-39.el8_4.10.i686.rpm SHA-256: 1d0d868b6aa5696a75a95eb4d676b81f1c3ed557e2cfde3372b3633942649c57 python3-tkinter-3.6.8-39.el8_4.10.x86_64.rpm SHA-256: 6cb64fd64530623bfda2a0a89449fa2e6ab37768373fee64987311846d6a00cb The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .