Vulnerabilidad en CPython de Python Software Foundation (CVE-2026-4519)
Gravedad CVSS v4.0:
ALTA
Tipo:
CWE-20
Validación incorrecta de entrada
Fecha de publicación:
20/03/2026
Última modificación:
07/04/2026
Descripción
La API webbrowser.open() aceptaba guiones iniciales en la URL que podrían ser interpretados como opciones de línea de comandos para ciertos navegadores web. El nuevo comportamiento rechaza los guiones iniciales. Se recomienda a los usuarios sanear las URL antes de pasarlas a webbrowser.open().
Impacto
Puntuación base 4.0
7.00
Gravedad 4.0
ALTA
Referencias a soluciones, herramientas e información
- https://github.com/python/cpython/commit/3681d47a440865aead912a054d4599087b4270dd
- https://github.com/python/cpython/commit/43fe06b96f6a6cf5cfd5bdab20b8649374956866
- https://github.com/python/cpython/commit/591ed890270c5697b013bf637029fb3e6cd2d73e
- https://github.com/python/cpython/commit/594b5a05dc9913880ac92eded440defbf32a28d1
- https://github.com/python/cpython/commit/82a24a4442312bdcfc4c799885e8b3e00990f02b
- https://github.com/python/cpython/commit/89bfb8e5ed3c7caa241028f1a4eac5f6275a46a4
- https://github.com/python/cpython/commit/9669a912a0e329c094e992204d6bdb8787024d76
- https://github.com/python/cpython/commit/96fc5048605863c7b6fd6289643feb0e97edd96c
- https://github.com/python/cpython/commit/ad4d5ba32af4d80b0dfa2ba9d8203bfb219e60a5
- https://github.com/python/cpython/commit/cbba6119391112aba9c5aebf7b94aea447922c48
- https://github.com/python/cpython/commit/cc023511238ad93ecc8796157c6f9139a2bb2932
- https://github.com/python/cpython/commit/ceac1efc66516ac387eef2c9a0ce671895b44f03
- https://github.com/python/cpython/issues/143930
- https://github.com/python/cpython/pull/143931
- https://mail.python.org/archives/list/security-announce@python.org/thread/AY5NDSS433JK56Q7Q5IS7B37QFZVVOUS/
- http://www.openwall.com/lists/oss-security/2026/03/20/1