A command-line option injection vulnerability (CVE-2026-4519, CVSS 3.3 LOW) in Python's `webbrowser.open()` function allows crafted URLs to inject unintended arguments. The vulnerability affects Python versions prior to 3.13.13, versions 3.14.0 through 3.14.3, and version 3.15.0. The flaw is remediated by upgrading to Python versions 3.13.13, 3.14.4, or later.
Red Hat Product Errata RHSA-2026:10101 - Security Advisory Issued: 2026-04-23 Updated: 2026-04-23 RHSA-2026:10101 - Security Advisory Overview Updated Packages Synopsis Important: python3.9 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for python3.9 is now available for Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fix(es): python: Python: Command-line option injection in webbrowser.open() via crafted URLs (CVE-2026-4519) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64 Red Hat Enterprise Linux Server - AUS 9.4 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64 Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.4 x86_64 Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.4 ppc64le Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.4 s390x Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.4 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.4 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.4 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.4 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.4 s390x Fixes BZ - 2449649 - CVE-2026-4519 python: Python: Command-line option injection in webbrowser.open() via crafted URLs CVEs CVE-2026-4519 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 SRPM python3.9-3.9.18-3.el9_4.12.src.rpm SHA-256: 7ccf288db35a93b59abab0ee1db3fc9aa238566c29b08226688e11664b5e4857 x86_64 python-unversioned-command-3.9.18-3.el9_4.12.noarch.rpm SHA-256: 9549d46c199ff78449f086eac15a9959077378a40cf1184c8612891ea98819c3 python3-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: 2b64f576eaf45170fa646b0b41d603c008a03f4b885ac320d0df651c10969fcf python3-devel-3.9.18-3.el9_4.12.i686.rpm SHA-256: 8fee27098fc8abd7707d4b5146a28984257cef637062600484732c767b97c786 python3-devel-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: dad7ac97f4d99cf3f4bf847df738c5482f4c9faeced26f7619c5784b06ca06a6 python3-libs-3.9.18-3.el9_4.12.i686.rpm SHA-256: 4c3eed008ca8106f0711001d37e72c163128e3b589c3dfe2c7b06b65c56407ec python3-libs-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: 78d56a14bae0f59804992e268eb3bd0c76ff1e2ccfeae56c0fb702d5978a1d81 python3-tkinter-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: 0cc1c0f494a9e90cbdba9ef05359b614903bce1613b921d5087d08d92487f3d0 python3.9-debuginfo-3.9.18-3.el9_4.12.i686.rpm SHA-256: 846b39ed043218db3a7e402d5a91929ff8f8fd51aac42b89b68b52fb7f673678 python3.9-debuginfo-3.9.18-3.el9_4.12.i686.rpm SHA-256: 846b39ed043218db3a7e402d5a91929ff8f8fd51aac42b89b68b52fb7f673678 python3.9-debuginfo-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: af526761706cbd7e9a6f39a3ffb52117dcdf728f0684f6f4e232626167502646 python3.9-debuginfo-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: af526761706cbd7e9a6f39a3ffb52117dcdf728f0684f6f4e232626167502646 python3.9-debugsource-3.9.18-3.el9_4.12.i686.rpm SHA-256: 8816ff93e30a94c7204c72f77a6dbb38a945f3c43601dc5ca6d9f026d4e7e859 python3.9-debugsource-3.9.18-3.el9_4.12.i686.rpm SHA-256: 8816ff93e30a94c7204c72f77a6dbb38a945f3c43601dc5ca6d9f026d4e7e859 python3.9-debugsource-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: 5d24411612768143db66220f2c10b5892ada43267f7f79869fbff45d84bc4646 python3.9-debugsource-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: 5d24411612768143db66220f2c10b5892ada43267f7f79869fbff45d84bc4646 Red Hat Enterprise Linux Server - AUS 9.4 SRPM python3.9-3.9.18-3.el9_4.12.src.rpm SHA-256: 7ccf288db35a93b59abab0ee1db3fc9aa238566c29b08226688e11664b5e4857 x86_64 python-unversioned-command-3.9.18-3.el9_4.12.noarch.rpm SHA-256: 9549d46c199ff78449f086eac15a9959077378a40cf1184c8612891ea98819c3 python3-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: 2b64f576eaf45170fa646b0b41d603c008a03f4b885ac320d0df651c10969fcf python3-devel-3.9.18-3.el9_4.12.i686.rpm SHA-256: 8fee27098fc8abd7707d4b5146a28984257cef637062600484732c767b97c786 python3-devel-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: dad7ac97f4d99cf3f4bf847df738c5482f4c9faeced26f7619c5784b06ca06a6 python3-libs-3.9.18-3.el9_4.12.i686.rpm SHA-256: 4c3eed008ca8106f0711001d37e72c163128e3b589c3dfe2c7b06b65c56407ec python3-libs-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: 78d56a14bae0f59804992e268eb3bd0c76ff1e2ccfeae56c0fb702d5978a1d81 python3-tkinter-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: 0cc1c0f494a9e90cbdba9ef05359b614903bce1613b921d5087d08d92487f3d0 python3.9-debuginfo-3.9.18-3.el9_4.12.i686.rpm SHA-256: 846b39ed043218db3a7e402d5a91929ff8f8fd51aac42b89b68b52fb7f673678 python3.9-debuginfo-3.9.18-3.el9_4.12.i686.rpm SHA-256: 846b39ed043218db3a7e402d5a91929ff8f8fd51aac42b89b68b52fb7f673678 python3.9-debuginfo-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: af526761706cbd7e9a6f39a3ffb52117dcdf728f0684f6f4e232626167502646 python3.9-debuginfo-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: af526761706cbd7e9a6f39a3ffb52117dcdf728f0684f6f4e232626167502646 python3.9-debugsource-3.9.18-3.el9_4.12.i686.rpm SHA-256: 8816ff93e30a94c7204c72f77a6dbb38a945f3c43601dc5ca6d9f026d4e7e859 python3.9-debugsource-3.9.18-3.el9_4.12.i686.rpm SHA-256: 8816ff93e30a94c7204c72f77a6dbb38a945f3c43601dc5ca6d9f026d4e7e859 python3.9-debugsource-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: 5d24411612768143db66220f2c10b5892ada43267f7f79869fbff45d84bc4646 python3.9-debugsource-3.9.18-3.el9_4.12.x86_64.rpm SHA-256: 5d24411612768143db66220f2c10b5892ada43267f7f79869fbff45d84bc4646 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 SRPM python3.9-3.9.18-3.el9_4.12.src.rpm SHA-256: 7ccf288db35a93b59abab0ee1db3fc9aa238566c29b08226688e11664b5e4857 s390x python-unversioned-command-3.9.18-3.el9_4.12.noarch.rpm SHA-256: 9549d46c199ff78449f086eac15a9959077378a40cf1184c8612891ea98819c3 python3-3.9.18-3.el9_4.12.s390x.rpm SHA-256: f5c4918cebaeb38c41606f99fa981cdc0ca3aa6bb8712039d114e31c4d3df3d4 python3-devel-3.9.18-3.el9_4.12.s390x.rpm SHA-256: 34309da9579fd98e6188b00885a50798d600d2c406489e35e238d8f063458288 python3-libs-3.9.18-3.el9_4.12.s390x.rpm SHA-256: 1f5e571f17fad22af27cb25c2c27a5ef92934c3a6c7448c2bbee0ab36fee0cc6 python3-tkinter-3.9.18-3.el9_4.12.s390x.rpm SHA-256: e2dfafe7b234c42503dba41e6a8de4a673445514ec3fdcbe81dc6d15e38d9db9 python3.9-debuginfo-3.9.18-3.el9_4.12.s390x.rpm SHA-256: a07b2bdfb413d014ec968ac8b3b0df946a0ba6143cd4a4b9d7e1f3d02b1fb3c3 python3.9-debuginfo-3.9.18-3.el9_4.12.s390x.rpm SHA-256: a07b2bdfb413d014ec968ac8b3b0df946a0ba6143cd4a4b9d7e1f3d02b1fb3c3 python3.9-debugsource-3.9.18-3.el9_4.12.s390x.rpm SHA-256: 19fd07b2d43dae352b1d596bd6a9d9cb2c21815076c449815327b7fc2ebbb89b python3.9-debugsource-3.9.18-3.el9_4.12.s390x.rpm SHA-256: 19fd07b2d43dae352b1d596bd6a9d9cb2c21815076c449815327b7fc2ebbb89b Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 SRPM python3.9-3.9.18-3.el9_4.12.src.rpm SHA-256: 7ccf288db35a93b59abab0ee1db3fc9aa238566c29b08226688e11664b5e4857 ppc64le python-unversioned-command-3.9.18-3.el9_4.12.noarch.rpm SHA-256: 9549d46c199ff78449f086eac15a9959077378a40cf1184c8612891ea98819c3 python3-3.9.18-3.el9_4.12.ppc64le.rpm SHA-256: 41c5ee7b47a33c3873df1ed8dccf70ab3934d4d7da0441ef5c16fe78a708a393 python3-devel-3.9.18-3.el9_4.12.ppc64le.rpm SHA-256: a5e2d45f8db6847dab1413a76088d22c837f3db3920aca1db515f90e074d99c4 python3-libs-3.9.18-3.el9_4.12.ppc64le.rpm SHA-256: 14d5db175045cb3045b7d03dff92ff26004a0fb930cf101e502aac1a8c371e45 python3-tkinter-3.9.18-3.el9_4.12.ppc64le.rpm SHA-256: 7b100c1a57e39488d36dba2b7706df673086c8b2869738ee64f095e4bd22ee69 python3.9-debuginfo-3.9.18-3.el9_4.12.ppc64le.rpm SHA-256: ca022bc9975c76137d95b2dec6b21333a1b7effde88e05d0dd8f25bc7470c852 python3.9-debuginfo-3.9.18-3.el9_4.12.ppc64le.rpm SHA-256: ca022bc9975c76137d95b2dec6b21333a1b7effde88e05d0dd8f25bc7470c852 python3.9-debugsource-3.9.18-3.el9_4.12.ppc64le.rpm SHA-256: 78e51781b9951bbbddd133ba3770e59cc8143c043c656f088873de99223f1f88 python3.9-debugsource-3.9.18-3.el9_4.12.ppc64le.rpm SHA-256: 78e51781b9951bbbddd133ba3770e59cc8143c043c656f088873de99223f1f88 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 SRPM python3.9-3.9.18-3.el9_4.12.src.rpm SHA-256: 7ccf288db35a93b59abab0ee1db3fc9aa238566c29b08226688e11664b5e4857 aarch64 python-unversioned-command-3.9.18-3.el9_4.12.noarch.rpm SHA-256: 9549d46c199ff78449f086eac15a9959077378a40cf