CVE-2026-6019
Description
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | fixed | 3.14.5~rc1-1 |
| debian | sid | fixed | 3.14.5~rc1-1 |
| debian | trixie | fixed | 3.13.5-2+deb13u2 |
References
- https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c
- https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104
- https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8
- https://github.com/python/cpython/issues/90309
- https://github.com/python/cpython/pull/148848
- https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/
- https://www.suse.com/security/cve/CVE-2026-6019.html
- https://security-tracker.debian.org/tracker/CVE-2026-6019
CWEs
CWE-150 CWE-116
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.