Donate Telegram

CVE-2026-4786

HIGH CVSS 4.0: 7.0 EPSS 0.02%

Apr 13, 2026

Updated Apr 17, 2026

Mitgation

Parameter	Value
CVSS	7.0 (HIGH)
Type	CWE-77 (Command Injection)
Vendor	Mitgation
Public PoC	No

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

Attack Parameters

Attack Vector

Local

Requires local access

Attack Complexity

Low

Easy to exploit

Attack Requirements

Present

Additional conditions required

Privileges Required

None

No privileges needed

User Interaction

Active

User action required

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

None

No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-77 Command Injection

References 6

https://github.com/python/cpython/commit/c5767a72838a8dda9d6dc5d3558075b055c56b…

https://github.com/python/cpython/commit/d22922c8a7958353689dc4763dd72da2dea03f…

https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f90574779467…

https://github.com/python/cpython/issues/148169

https://github.com/python/cpython/pull/148170

https://mail.python.org/archives/list/security-announce@python.org/thread/JQDUN…

Share Post Share Share Share

CVE Details

CVE ID

CVE-2026-4786

Published Date

Apr 13, 2026

Vendor

Mitgation

Severity

HIGH

CVSS v4.0 Score

7.0

High severity. Prioritize patching.

Exploit Prediction (EPSS)

Probability of Exploit 0.02%

Likelihood of exploitation in next 30 days

Percentile: 5.4th percentile (higher than 5.4% of all CVEs)

Standard patching cycle

Impact

Full data disclosure

Complete data modification

Source

Editor's Choice