CVE-2026-6019Improper Neutralization of Escape, Meta, or Control Sequences in Software Foundation Cpython

CWE-150Improper Neutralization of Escape, Meta, or Control SequencesCWE-79Cross-site Scripting5 documents5 sources
Severity
2.1LOWNVD
EPSS
0.1%
top 84.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
17
Python Software Foundation CpythonDebian Python3.11Debian Python3.13+14 more
Timeline
PublishedApr 22

Description

http.cookies.Morsel.js_output() returns an inline snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages17 packages

Red Hatpython/python

🔴Vulnerability Details

2
GHSA
GHSA-2755-2mm4-rm5c: http2026-04-22
VulDB
Python CPython up to 3.14.x HTML Parser http.cookies.Morsel.js_output control sequence (ID 90309 / EUVD-2026-25079)2026-04-22

📋Vendor Advisories

1
Red Hat
python: Python: Cross-Site Scripting (XSS) vulnerability in http.cookies module2026-04-22

💬Community

1
Bugzilla
CVE-2026-6019 python: Python: Cross-Site Scripting (XSS) vulnerability in http.cookies module2026-04-22
CVE-2026-6019 — LOW severity | cvebase