QwikSec

Security Database

CVE

CWE

Training

CVE-2026-6019

Published: Apr 22, 2026

Modified: Apr 29, 2026

PUBLISHED

Description

http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

Vendor	Product	Versions
Python Software Foundation	CPython	affected `0 - < 3.15.0`

Weaknesses (CWE)

References

https://github.com/python/cpython/pull/148848

patch

https://github.com/python/cpython/issues/90309

issue-tracking

https://mail.python.org/archives/list/[email protected]/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/

vendor-advisory

https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104

patch

https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c

patch

https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.