Python CPython <3.15.0 Morsel.js_output XSS via <script>
CVE-2026-6019 Published on April 22, 2026
BaseCookie.js_output() does not neutralize embedded characters
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
Weakness Type
Improper Neutralization of Escape, Meta, or Control Sequences
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.
Products Associated with CVE-2026-6019
Want to know whenever a new CVE is published for Python? stack.watch will email you.
Affected Versions
Python Software Foundation CPython:- Before 3.13.14 is affected.
- Version 3.14.0a1 and below 3.14.5rc1 is affected.
- Version 3.15.0a1 and below 3.15.0b1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.