VDB
CVE-2026-6019
CVE-2026-6019
PUBLISHED
CVSS 2.0999999046325684 LOW
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
EPSS 0.03% · 9.4th percentile
Risk Scores
CVSS v4.0
2.0999999046325684
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.03%
9.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python Software Foundation | CPython | 0 |
Timeline
- Apr 22, 2026 CVE Published
- Apr 22, 2026 CVE Updated
- Apr 23, 2026 EPSS Score
- Apr 23, 2026 Security Advisory
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
References
- https://github.com/python/cpython/pull/148848 patch
- https://github.com/python/cpython/issues/90309 issue
- https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/ vendor-advisory
- https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104 patch
- https://nvd.nist.gov/vuln/detail/CVE-2026-6019 advisory
- https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3 url