← Voltar para CVEs
CVE-2026-6019
N/ADescricao
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
Detalhes CVE
Pontuacao CVSS v3.1N/A
Publicado4/22/2026
Ultima modificacao4/22/2026
Fontenvd
Avistamentos honeypot0
Fraquezas (CWE)
CWE-150
Referencias
https://github.com/python/cpython/issues/90309(cna@python.org)
https://github.com/python/cpython/pull/148848(cna@python.org)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.