Python CPython <3.15.0 Morsel.js_output XSS via <script>
CVE-2026-6019 Published on April 22, 2026
BaseCookie.js_output() does not neutralize embedded characters
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
Weakness Type
Improper Neutralization of Escape, Meta, or Control Sequences
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.
Products Associated with CVE-2026-6019
Want to know whenever a new CVE is published for Python? stack.watch will email you.
Affected Versions
Python Software Foundation CPython:- Before 3.15.0 is affected.