CVE-2026-6019
6.1 MEDIUMhttp.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context
Published: 2026-04-22 · Last updated: 2026-05-28
Severity and scoring
- CVSS
- 6.1 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- CWE
- CWE-116, CWE-150
Affected products
| Vendor | Product |
|---|---|
| python | python |
Description
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-6019
- [Patch]https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c
- [Patch]https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104
- [Patch]https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8
- [Exploit reference]https://github.com/python/cpython/issues/90309
- [Patch]https://github.com/python/cpython/pull/148848
- [Vendor advisory]https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/
Related CVEs
Same vendor
- CVE-2026-7210 — `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML d... (9.8 CRITICAL)
- CVE-2026-3087 — If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be... (7.5 HIGH)
- CVE-2026-4224 — When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content mo... (7.5 HIGH)
- CVE-2026-3644 — The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete (7.5 HIGH)
- CVE-2025-13462 — The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member suc... (9.8 CRITICAL)
Same CWE
- CVE-2026-42558 — Xibo is an open source digital signage platform with a web content management system and Windows display player software (7.6 HIGH)
- CVE-2026-53693 — A stored cross-site scripting vulnerability existed in MISP BSimVis tag rendering code
- CVE-2026-49472 — FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implem... (5.3 MEDIUM)
- CVE-2026-8795 — A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6 (7.8 HIGH)
- CVE-2026-46496 — HAX CMS helps manage microsite universe with PHP or NodeJs backends