CVE-2026-4786

Name	CVE-2026-4786
Description	Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
jython (PTS)	bullseye	2.7.2+repack1-3	fixed
	bookworm, trixie	2.7.3+repack1-1	fixed
	forky, sid	2.7.3+repack1-1	vulnerable
pypy3 (PTS)	bullseye	7.3.5+dfsg-2+deb11u2	fixed
	bullseye (security)	7.3.5+dfsg-2+deb11u5	fixed
	bookworm	7.3.11+dfsg-2+deb12u3	fixed
	trixie	7.3.19+dfsg-2	fixed
	forky	7.3.21+dfsg-4	vulnerable
	sid	7.3.22+dfsg-1	fixed
python2.7 (PTS)	bullseye	2.7.18-8+deb11u1	fixed
python3.11 (PTS)	bookworm	3.11.2-6+deb12u6	fixed
	bookworm (security)	3.11.2-6+deb12u3	fixed
python3.13 (PTS)	trixie	3.13.5-2	fixed
	forky, sid	3.13.12-1	vulnerable
python3.14 (PTS)	forky	3.14.4-2	vulnerable
	sid	3.14.5~rc1-1	vulnerable
python3.9 (PTS)	bullseye	3.9.2-1	vulnerable
	bullseye (security)	3.9.2-1+deb11u6	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
jython	source	bullseye	(not affected)
jython	source	bookworm	(not affected)
jython	source	trixie	(not affected)
jython	source	(unstable)	(unfixed)
pypy3	source	bullseye	(not affected)
pypy3	source	bookworm	(not affected)
pypy3	source	trixie	(not affected)
pypy3	source	(unstable)	7.3.22+dfsg-1
python2.7	source	bullseye	(not affected)
python2.7	source	(unstable)	(unfixed)
python3.11	source	bookworm	(not affected)
python3.11	source	(unstable)	(unfixed)
python3.13	source	trixie	(not affected)
python3.13	source	(unstable)	(unfixed)
python3.14	source	(unstable)	(unfixed)
python3.9	source	(unstable)	(unfixed)

Notes

[trixie] - python3.13 <not-affected> (Incomplete fix not released)
[bookworm] - python3.11 <not-affected> (Incomplete fix not released)
[bullseye] - python2.7 <not-affected> (Incomplete fix not released)
[trixie] - jython <not-affected> (Incomplete fix not released)
[bookworm] - jython <not-affected> (Incomplete fix not released)
[bullseye] - jython <not-affected> (Incomplete fix not released)
[trixie] - pypy3 <not-affected> (Incomplete fix not released)
[bookworm] - pypy3 <not-affected> (Incomplete fix not released)
[bullseye] - pypy3 <not-affected> (Incomplete fix not released)
Incomplete fix for CVE-2026-4519, followup fixes listed there:
https://mail.python.org/archives/list/security-announce@python.org/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/
https://github.com/python/cpython/issues/148169
https://github.com/python/cpython/pull/148170