Mailman 3 [CVE-2026-4786] Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open() - Security-announce

April 13, 2026


      There is a HIGH severity vulnerability affecting CPython.
Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action"
the mitigation could be bypassed for certain browser types the
"webbrowser.open()" API could have commands injected into the underlying
shell. See CVE-2026-4519 for details.
Please see the linked CVE ID for the latest information on affected
versions:

https://www.cve.org/CVERecord?id=CVE-2026-4786
https://github.com/python/cpython/pull/148170

[CVE-2026-4786] Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()

Seth Larson

tags

participants (1)