CVE-2026-6019 — MEDIUM (6.1)

Vulnerability Description

http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Python	Cpython	< 3.15.0

Related Weaknesses (CWE)

CWE-116 CWE-150

References

https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76Patch
https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec873510Patch
https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65bPatch
https://github.com/python/cpython/issues/90309ExploitIssue Tracking
https://github.com/python/cpython/pull/148848Issue TrackingPatch
https://mail.python.org/archives/list/[email protected]/thread/IVNWGVVendor AdvisoryMailing List

FAQ

What is CVE-2026-6019?

CVE-2026-6019 is a vulnerability with a CVSS score of 6.1 (MEDIUM). http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the gene...

How severe is CVE-2026-6019?

CVE-2026-6019 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-6019?

Check the references section above for vendor advisories and patch information. Affected products include: Python Cpython.