Fluid Attacks Database

Description

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	python3.13	=3.13.11-1 \|\| =3.13.12-1 \|\| =3.13.5-2 \|\| =3.13.6-1 \|\| =3.13.7-1 \|\| =3.13.8-1 \|\| =3.13.9-1	-
rpm rhel9	python3.14	<0:3.14.4-2.el9_8	0:3.14.4-2.el9_8
rpm rhel6	python	-	-
rpm rhel8	python3.11	<0:3.11.13-7.el8_10	0:3.11.13-7.el8_10
debian 14	pypy3	=7.3.19+dfsg-2 \|\| =7.3.20+dfsg-1 \|\| =7.3.20+dfsg-2 \|\| =7.3.20+dfsg-3 \|\| =7.3.20+dfsg-4 \|\| =7.3.21+dfsg-1 \|\| =7.3.21+dfsg-2 \|\| =7.3.21+dfsg-3 \|\| =7.3.21+dfsg-4 \|\| >=0 <7.3.22+dfsg-1	7.3.22+dfsg-1
debian 14	python3.14	=3.14.0-1 \|\| =3.14.0-2 \|\| =3.14.0-3 \|\| =3.14.0-4 \|\| =3.14.0-5 \|\| =3.14.0~a7-1 \|\| =3.14.0~b1-1 \|\| =3.14.0~b2-1 \|\| =3.14.0~b3-1 \|\| =3.14.0~b4-1 \|\| =3.14.0~rc1-1 \|\| =3.14.0~rc2-1 \|\| =3.14.0~rc3-1 \|\| =3.14.2-1 \|\| =3.14.3-1 \|\| =3.14.3-2 \|\| =3.14.3-3 \|\| =3.14.3-4 \|\| =3.14.3-5 \|\| =3.14.4-1 \|\| =3.14.4-2 \|\| =3.14.5~rc1-1 \|\| >=0 <3.14.5-1	3.14.5-1
rpm rhel7	python3	-	-
rpm rhel8	python3	<0:3.6.8-76.el8_10	0:3.6.8-76.el8_10
rpm rhel9	python3.11	<0:3.11.13-9.el9_8	0:3.11.13-9.el9_8
rpm rhel10	python3.12	<0:3.12.12-3.el10_1.3 \|\| >=0:3.12.13, <0:3.12.13-2.el10_2	0:3.12.13-2.el10_2

1-10 of 24

Aliases

1. CVE-2026-47862. NVD-2026-47863. OSV-DEBIAN-2026-47864. OSV-2026-47865. SECURITY-TRACKER-CVE-2026-4786

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.