CVE-2026-6019
BaseCookie.js_output() does not neutralize embedded characters
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
| CWE | CWE-150 |
| Vendor | python software foundation |
| Product | cpython |
| Published | Apr 22, 2026 |
| Last Updated | Apr 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for python software foundation cpython
Be the first to know when new unknown vulnerabilities affecting python software foundation cpython are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Python Software Foundation / CPython
0 < 3.15.0
References
github.com: https://github.com/python/cpython/pull/148848 github.com: https://github.com/python/cpython/issues/90309 mail.python.org: https://mail.python.org/archives/list/[email protected]/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/ github.com: https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104
Credits
๐ oolongeya (https://github.com/komi22) Seth Larson (https://github.com/sethmlarson)