{ "threat_severity" : "Important", "public_date" : "2026-04-13T21:52:19Z", "bugzilla" : { "description" : "python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API", "id" : "2458049", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2458049" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L", "status" : "verified" }, "cwe" : "CWE-88", "details" : [ "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.", "A flaw was found in the Python webbrowser.open() API. If a specially crafted URL containing \"%action\" is processed, an attacker could bypass a previous mitigation for CVE-2026-4519. This bypass allows for command injection into the underlying shell, potentially leading to arbitrary code execution." ], "statement" : "This flaw in the Python `webbrowser.open()` API allows for command injection and arbitrary code execution when processing specially crafted URLs containing \"%action\". This bypasses a previous mitigation for CVE-2026-4519.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-04-27T00:00:00Z", "advisory" : "RHSA-2026:10711", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "python3.12-0:3.12.12-3.el10_1.3" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19019", "cpe" : "cpe:/o:redhat:enterprise_linux:10.2", "package" : "python3.14-0:3.14.4-2.el10_2" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19064", "cpe" : "cpe:/o:redhat:enterprise_linux:10.2", "package" : "python3.12-0:3.12.13-2.el10_2" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-05-13T00:00:00Z", "advisory" : "RHSA-2026:16699", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "python3.12-0:3.12.9-2.el10_0.9" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19589", "cpe" : "cpe:/o:redhat:rhel_els:7", "package" : "python-0:2.7.5-94.el7_9.5" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-04-27T00:00:00Z", "advisory" : "RHSA-2026:10950", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python3.12-0:3.12.13-2.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-04-27T00:00:00Z", "advisory" : "RHSA-2026:11062", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python3.11-0:3.11.13-7.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-04-27T00:00:00Z", "advisory" : "RHSA-2026:11077", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python3-0:3.6.8-76.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-04-27T00:00:00Z", "advisory" : "RHSA-2026:11077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "python3-0:3.6.8-76.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19590", "cpe" : "cpe:/a:redhat:rhel_aus:8.4", "package" : "python3-0:3.6.8-39.el8_4.11" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19590", "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4", "package" : "python3-0:3.6.8-39.el8_4.11" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17619", "cpe" : "cpe:/a:redhat:rhel_aus:8.6", "package" : "python3-0:3.6.8-47.el8_6.13" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17619", "cpe" : "cpe:/a:redhat:rhel_tus:8.6", "package" : "python3-0:3.6.8-47.el8_6.13" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17619", "cpe" : "cpe:/a:redhat:rhel_e4s:8.6", "package" : "python3-0:3.6.8-47.el8_6.13" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19549", "cpe" : "cpe:/a:redhat:rhel_tus:8.8", "package" : "python3-0:3.6.8-51.el8_8.15" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19549", "cpe" : "cpe:/a:redhat:rhel_e4s:8.8", "package" : "python3-0:3.6.8-51.el8_8.15" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-04-27T00:00:00Z", "advisory" : "RHSA-2026:10745", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "python3.12-0:3.12.12-4.el9_7.3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-04-27T00:00:00Z", "advisory" : "RHSA-2026:10774", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "python3.11-0:3.11.13-5.3.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-04-27T00:00:00Z", "advisory" : "RHSA-2026:10949", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "python3.9-0:3.9.25-3.el9_7.3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19175", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "python3.11-0:3.11.13-9.el9_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19176", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "python3.14-0:3.14.4-2.el9_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19177", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "python3.12-0:3.12.13-2.el9_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19216", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "python3.9-0:3.9.25-7.el9_8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-04-27T00:00:00Z", "advisory" : "RHSA-2026:10949", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "python3.9-0:3.9.25-3.el9_7.3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-05-19T00:00:00Z", "advisory" : "RHSA-2026:19216", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "python3.9-0:3.9.25-7.el9_8" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19571", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "python3.9-0:3.9.10-4.el9_0.11" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13692", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "python3.11-0:3.11.2-2.el9_2.12" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19570", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "python3.9-0:3.9.16-1.el9_2.14" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-05-07T00:00:00Z", "advisory" : "RHSA-2026:14653", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "python3.11-0:3.11.7-1.el9_4.13" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17525", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "python3.12-0:3.12.1-4.el9_4.13" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-05-07T00:00:00Z", "advisory" : "RHSA-2026:14652", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "python3.11-0:3.11.11-2.el9_6.7" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-05-07T00:00:00Z", "advisory" : "RHSA-2026:14656", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "python3.12-0:3.12.9-1.el9_6.8" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19576", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "python3.9-0:3.9.21-2.el9_6.6" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13812", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-businesscentral-monitoring-rhel8:7.13.5-4.1777325677" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13812", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-businesscentral-rhel8:7.13.5-4.1777325711" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13812", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-controller-rhel8:7.13.5-4.1777325710" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13812", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-dashbuilder-rhel8:7.13.5-3.1777325680" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13812", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-kieserver-rhel8:7.13.5-4.1777325709" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13812", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-process-migration-rhel8:7.13.5-4.1777325680" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2026-05-05T00:00:00Z", "advisory" : "RHSA-2026:13812", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-smartrouter-rhel8:7.13.5-4.1777325708" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-aws-cuda-rhel9:1776871984" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-azure-cuda-rhel9:1776871985" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-azure-rocm-rhel9:1776872005" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-cuda-rhel9:1776773390" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-gcp-cuda-rhel9:1776871987" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10140", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/bootc-rocm-rhel9:1776773505" }, { "product_name" : "Red Hat Enterprise Linux AI 3.3", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10141", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3.3::el9", "package" : "rhelai3/disk-image-cuda-rhel9:1776938871" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-23T00:00:00Z", "advisory" : "RHSA-2026:10117", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "python3-13-main-3.13.13-1.1.hum1" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-17T00:00:00Z", "advisory" : "RHSA-2026:8822", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "python3-11-main-3.11.15-4.hum1" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-17T00:00:00Z", "advisory" : "RHSA-2026:8824", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "python3-12-main-3.12.13-3.hum1" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-21T00:00:00Z", "advisory" : "RHSA-2026:9228", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "python3-14-main-3.14.4-2.hum1" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2026-04-29T00:00:00Z", "advisory" : "RHSA-2026:11768", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/cds-kubernetes-tp-rhel9:1777459441" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2026-04-29T00:00:00Z", "advisory" : "RHSA-2026:11768", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/installer-tp-rhel9:1777454300" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2026-04-29T00:00:00Z", "advisory" : "RHSA-2026:11768", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/rhua-tp-rhel9:1777459504" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Affected", "package_name" : "python", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Affected", "package_name" : "python3", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python2", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python36", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "python36:3.6/python36", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "python38", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "python39", "cpe" : "cpe:/o:redhat:enterprise_linux:8" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-4786\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4786\nhttps://github.com/python/cpython/issues/148169\nhttps://github.com/python/cpython/pull/148170\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/" ], "name" : "CVE-2026-4786", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.", "lang" : "en:us" }, "csaw" : false }