← Retour aux CVEs
CVE-2026-6019
N/ADescription
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
Details CVE
Score CVSS v3.1N/A
Publie4/22/2026
Derniere modification4/22/2026
Sourcenvd
Observations honeypot0
Faiblesses (CWE)
CWE-150
References
https://github.com/python/cpython/issues/90309(cna@python.org)
https://github.com/python/cpython/pull/148848(cna@python.org)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.