CVE-2026-4786
Public on 2026-04-13
Modified on 2026-04-14
Description
Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | python | 2026-05-14 | ALAS2-2026-3280 | Fixed |
| Amazon Linux 2 - Core | python3 | 2026-05-14 | ALAS2-2026-3281 | Fixed |
| Amazon Linux 2023 | python3.11 | 2026-04-30 | ALAS2023-2026-1620 | Fixed |
| Amazon Linux 2023 | python3.12 | 2026-04-30 | ALAS2023-2026-1619 | Fixed |
| Amazon Linux 2023 | python3.13 | 2026-05-14 | ALAS2023-2026-1638 | Fixed |
| Amazon Linux 2023 | python3.14 | 2026-04-30 | ALAS2023-2026-1617 | Fixed |
| Amazon Linux 2023 | python3.9 | 2026-04-30 | ALAS2023-2026-1618 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L |