← Back to CVEs
CVE-2026-6019
N/ADescription
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
CVE Details
CVSS v3.1 ScoreN/A
Published4/22/2026
Last Modified4/22/2026
Sourcenvd
Honeypot Sightings0
Weaknesses (CWE)
CWE-150
References
https://github.com/python/cpython/issues/90309(cna@python.org)
https://github.com/python/cpython/pull/148848(cna@python.org)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.