Date: Thu, 16 Apr 2026 21:38:38 +0000 From: Daniel Engberg <diizzy@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Cc: Matthias Andree <mandree@FreeBSD.org> Subject: git: 97f22e47abbc - main - security/vuxml: Add entry for Python CVE-2026-4786 Message-ID: <69e156de.27792.297f1367@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by diizzy: URL: https://cgit.FreeBSD.org/ports/commit/?id=97f22e47abbca9561ddab83242f205ef2046fc24 commit 97f22e47abbca9561ddab83242f205ef2046fc24 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2026-04-13 22:52:20 +0000 Commit: Daniel Engberg <diizzy@FreeBSD.org> CommitDate: 2026-04-16 21:38:32 +0000 security/vuxml: Add entry for Python CVE-2026-4786 Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open() Obtained from: GitHub repo Security: CVE-2026-4786 cf75f572-378a-11f1-a119-e36228bfe7d4 --- security/vuxml/vuln/2026.xml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index 81f347cc62c5..9fe569801f9b 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -220,6 +220,41 @@ </dates> </vuln> + <vuln vid="cf75f572-378a-11f1-a119-e36228bfe7d4"> + <topic>python -- more webbrowser.open() command injection vulnerabilities</topic> + <affects> + <package><name>python310</name><range><ge>0</ge></range></package> + <package><name>python311</name><range><ge>0</ge></range></package> + <package><name>python312</name><range><ge>0</ge></range></package> + <package><name>python313</name><range><ge>0</ge></range></package> + <package><name>python314</name><range><lt>3.14.4_2</lt></range></package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Seth Larson reports:</p> + <blockquote cite="https://mail.python.org/archives/list/security-announce@python.org/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/">; + <p>[CVE-2026-4786] Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()</p> + <p>There is a HIGH severity vulnerability affecting CPython.</p> + <p>Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" + the mitigation could be bypassed for certain browser types the + "webbrowser.open()" API could have commands injected into the underlying + shell. See CVE-2026-4519 for details.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2026-4786</cvename> + <url>https://mail.python.org/archives/list/security-announce@python.org/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/</url>; + <url>https://www.cve.org/CVERecord?id=CVE-2026-4786</url>; + <url>https://github.com/python/cpython/issues/148169</url>; + <url>https://github.com/python/cpython/pull/148170</url>; + </references> + <dates> + <discovery>2026-04-06</discovery> + <entry>2026-04-13</entry> + </dates> + </vuln> + <vuln vid="b8e9f33c-375d-11f1-a119-e36228bfe7d4"> <topic>Python -- use-after-free vulnerability in decompressors under memory pressure</topic> <affects>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69e156de.27792.297f1367>