Date: Mon, 13 Apr 2026 22:46:49 +0000 From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: [Bug 294496] lang/python*: CVE-2026-4786: webbrowser.open() command injection mitigation for CVE-2026-4519 was incomplete Message-ID: <bug-294496-21822@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294496 Bug ID: 294496 Summary: lang/python*: CVE-2026-4786: webbrowser.open() command injection mitigation for CVE-2026-4519 was incomplete Product: Ports & Packages Version: Latest Hardware: Any URL: https://github.com/python/cpython/pull/148170 OS: Any Status: New Keywords: security Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: ports-secteam@FreeBSD.org Reporter: mandree@FreeBSD.org CC: diizzy@FreeBSD.org, python@FreeBSD.org Depends on: 294246, 294486 Flags: merge-quarterly? https://github.com/python/cpython/pull/148170 "incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()" -> https://www.cve.org/CVERecord?id=CVE-2026-4786 as reported by Seth Larson. Referenced Bugs: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294246 [Bug 294246] lang/python3: Missing security update https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294486 [Bug 294486] lang/python314: needs fix for CVE-2026-6100 use-after-free in decompressors when reusing instances after MemoryError -- You are receiving this mail because: You are on the CC list for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-294496-21822>