#1136197 jython: CVE-2026-4519

Package:
src:jython
Source:
src:jython
Submitter:
Moritz Mühlenhoff
Date:
2026-05-10 18:05:04 UTC
Severity:
normal
Tags:
#1136197#5
Date:
2026-05-10 18:03:44 UTC
From:
To:
Hi,

The following vulnerability was published for jython.

CVE-2026-4519[0]:
| The webbrowser.open() API would accept leading dashes in the URL
| which  could be handled as command line options for certain web
| browsers. New  behavior rejects leading dashes. Users are
| recommended to sanitize URLs  prior to passing to webbrowser.open().

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-4519
https://www.cve.org/CVERecord?id=CVE-2026-4519

Please adjust the affected versions in the BTS as needed.