CVE-2026-6019 | THREATINT

Description

http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

PUBLISHED Reserved 2026-04-09 | Published 2026-04-22 | Updated 2026-06-10 | Assigner PSF

LOW: 2.1CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-150 Improper neutralization of escape, meta, or control sequences

Product status

Default status

unaffected

Any version before 3.13.14

affected

3.14.0a1 (python) before 3.14.5rc1

affected

3.15.0a1 (python) before 3.15.0b1

affected

Credits

oolongeya (https://github.com/komi22) reporter

Seth Larson (https://github.com/sethmlarson) coordinator

References

github.com/python/cpython/pull/148848 patch

github.com/python/cpython/issues/90309 issue-tracking

mail.python.org/.../thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/ vendor-advisory

github.com/...ommit/76b3923d688c0efc580658476c5f525ec8735104 patch

github.com/...ommit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c patch

github.com/...ommit/f795e042043dfe26c42e1971d4502c1cdc4c65b8 patch

cve.org (CVE-2026-6019)

nvd.nist.gov (CVE-2026-6019)

Download JSON

help @ threatint.eu