Request for a new security release to address CVE-2026-4519

[abulava]

Description

The vulnerability CVE-2026-4519 has been successfully patched in the main branch (see commit: 82a24a4) and backported to supported versions. However, these fixes have not yet been included in official security releases.

Context

This situation is currently causing significant friction in downstream security tooling.

Specifically, this issue is being discussed in the Anchore Grype community as well: anchore/grype#3312.

Currently, this creates a major blocker for CI/CD pipelines and DevSecOps compliance, as security gates prevent deployment due to unresolved high-severity vulnerabilities that cannot be remediated via standard updates. Another complicating factor is the lack of consensus on the severity level of this CVE; notably, Anchore Grype flags it as a high-severity vulnerability based on "CVSS 4.0 Severity and Vector Strings."

Proposed Solution

Could you please consider creating a new security release for the affected stable branches that includes the fix for CVE-2026-4519? This would allow the security ecosystem to correctly recognize the fix and enable users to remediate the vulnerability.

Thank you for your hard work and for maintaining the Python ecosystem!

[hugovk]

(Removing 3.13-3.14 labels as bugfix branches will be released per schedule; next are due on Tuesday.)

[sethmlarson]

Hello! Releases aren't free, they require lots of work from release managers, so the benefit needs to match. For this reason we don't tend to accelerate security releases unless absolutely necessary due to the severity of the vulnerability. In the case you mention, this vulnerability:

• Is moderate severity according to our CVSS calculation. It's unlikely to be remotely triggerable, too.
• Affects a very, very small number of users (the webbrowser module is not used often). If you are affected it is easy to patch yourself, too.
• Is easy to mitigate in any Python application (import webbrowser; del webbrowser.open)

Keep in mind that we are combining this with a strategy of assigning CVEs to more bugs that have a security impact, even if that impact is less. If we are expected to make a release every time a CVE is issued across all versions we will be extremely disincentivized to assign CVEs, meaning security issues won't properly be labeled and users won't be able to pick and choose which security issues they should mitigate for.

I hope this answers your questions.

[abulava]

I hope this answers your questions.

@sethmlarson Thanks a lot for the detailed answer. It covers my concerns completely.

@hugovk @skirpichev Probably, it makes sense to close this issue. Thank you for your time.