CVE-2026-6019 - Vulnerability Details

- BaseCookie.js_output() does not neutralize embedded characters

Description

http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

Published: 2026-04-22

Score: 2.1 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The http.cookies.Morsel.js_output function emits an inline <script> element, escaping only the double‑quote character for JavaScript string contexts. It fails to neutralize the HTML‑parser sensitive sequence </script> that could appear inside a cookie value. Because the value is inserted directly into the script tag, an attacker who can manipulate the cookie could close the script prematurely and inject arbitrary JavaScript, resulting in cross‑site scripting. The weakness is classified as CWE‑79. The CVSS score of 2.1 indicates a low severity, but the vulnerability remains exploitable when the vulnerable code is used.

Affected Systems

All CPython implementations provided by the Python Software Foundation that employ the http.cookies.Morsel.js_output method are affected. The CVE record does not specify exact affected releases, so any CPython version prior to the commit that base64‑encodes cookie values for js_output is potentially vulnerable. Applications that render cookie values via js_output should verify that the patched code is present.

Risk and Exploitability

The EPSS score is less than 1 %, and the vulnerability is not listed in CISA’s KEV catalog, indicating that no active exploitation is currently reported. Nonetheless, if an attacker can control the cookie value, they can inject malicious scripts into the page, compromising confidentiality and integrity of user data. The risk is mitigated by applying the patched CPython release or by ensuring that cookie values are properly sanitized before being embedded in a script element.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Python Software Foundation

CPython

unaffected

Version	Status	Constraints
`0`	affected	< 3.15.0

No data.

Vendor Product Confidence Versions

Python

Cpython

95%

Version	Status	Scheme	Platform
`[0,3.15.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update CPython to a release that contains the commit which base64‑encodes cookie values for js_output.
In applications that call http.cookies.Morsel.js_output, ensure that cookie values are base64‑encoded or otherwise sanitized before rendering the script element.
If a patch cannot be applied immediately, implement server‑side validation that rejects or encodes any cookie value containing the sequence </script> to prevent premature script termination.

Generated by OpenCVE AI on April 28, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00061.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c
https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104
https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8
https://github.com/python/cpython/issues/90309
https://github.com/python/cpython/pull/148848
https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/
https://nvd.nist.gov/vuln/detail/CVE-2026-6019
https://www.cve.org/CVERecord?id=CVE-2026-6019

History

Wed, 29 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8

Sat, 25 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79
References		https://nvd.nist.gov/vuln/detail/CVE-2026-6019 https://www.cve.org/CVERecord?id=CVE-2026-6019
Metrics	threat_severity `None`	cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}` threat_severity `Moderate`

Wed, 22 Apr 2026 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Python Python cpython
Vendors & Products		Python Python cpython

Wed, 22 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
Title		BaseCookie.js_output() does not neutralize embedded characters
Weaknesses		CWE-150
References		https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104 https://github.com/python/cpython/issues/90309 https://github.com/python/cpython/pull/148848 https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/
Metrics		cvssV4_0 `{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Python Cpython

MITRE

Status: PUBLISHED

Assigner: PSF

Published: 2026-04-22T19:28:08.720Z

Updated: 2026-04-29T15:31:09.049Z

Reserved: 2026-04-09T15:35:00.668Z

Link: CVE-2026-6019

Vulnrichment

Updated: 2026-04-22T20:02:21.519Z

NVD

Status : Awaiting Analysis

Published: 2026-04-22T20:16:42.617

Modified: 2026-04-29T16:16:28.240

Link: CVE-2026-6019

Redhat

Severity : Moderate

Publid Date: 2026-04-22T19:28:08Z

Links: CVE-2026-6019 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T20:45:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object