TNCVE-2026-6019 — Vulnetix

TNCVE-2026-6019 PUBLISHED

http.cookies.Morsel.js_output() returns an inline snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

Timeline

Apr 22, 2026 CVE Published

References

Tenable: CVE-2026-6019 advisory

Open in Interactive Console →