Workflow

PyPi: Qutebrowser

CVE-2019-5786

Transitive

Safety vulnerability ID: 36280

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jun 27, 2019 Updated at Feb 15, 2025
Scan your Python projects for vulnerabilities →

Advisory

Qutebrowser 1.6.1 ships with Qt 5.12.2 in the macOS and Windows releases, which includes security fixes up to Chromium 72.0.3626.121 (including CVE-2019-5786 which is known to be exploited in the wild).

Affected package

qutebrowser

Latest version: 3.4.0

A keyboard-driven, vim-like browser based on Python and Qt.

Affected versions

Fixed versions

Vulnerability changelog

Security

- An XSS vulnerability on the `qute://history` page allowed websites to inject
HTML into the page via a crafted title tag. This could allow them to steal
your browsing history. If you're currently unable to upgrade, avoid using
`:history`. A CVE request for this issue is pending, see
https://github.com/qutebrowser/qutebrowser/issues/4011[4011] for updates.

Fixed

- Crash in a workaround for a Qt 5.11 bug in rare circumstances.
- Workaround for a Qt bug which preserves searches between page loads.
- In v1.3.2 a dependency on the `PyQt5.QtQuickWidgets` module was accidentally
introduced. Since that module isn't packaged everywhere, it's been removed
again.

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.5

CVSS v3 Details

MEDIUM 6.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
REQUIRED
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Availability (A)
HIGH

CVSS v2 Details

MEDIUM 4.3
Access Vector (AV)
NETWORK
Access Complexity (AC)
MEDIUM
Authentication (Au)
NONE
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Impact (A)
PARTIAL