Skip to main content

CPython CVE-2026-6019

| EUVDEUVD-2026-25079 LOW
Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)
2026-04-22 PSF
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Generated
Apr 23, 2026 - 07:01 vuln.today
CVSS changed
Apr 22, 2026 - 20:22 NVD
2.1 (LOW)
EUVD ID Assigned
Apr 22, 2026 - 20:01 euvd
EUVD-2026-25079
Analysis Generated
Apr 22, 2026 - 20:01 vuln.today
Patch released
Apr 22, 2026 - 20:01 nvd
Patch available
CVE Published
Apr 22, 2026 - 19:28 nvd
LOW 2.1

DescriptionCVE.org

http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

AnalysisAI

CPython's http.cookies.Morsel.js_output() method generates inline script snippets that fail to neutralize the HTML parser-sensitive sequence </script>, allowing attackers with high privilege levels to inject arbitrary JavaScript by crafting malicious cookie values. While the method escapes double quotes for JavaScript string context, it does not prevent premature termination of the script element through </script> injection, resulting in limited information disclosure. The vendor has released patches addressing this inadequate escaping mechanism through base64-encoding of cookie values.

Technical ContextAI

The vulnerability resides in Python's standard library http.cookies module, specifically the Morsel.js_output() method which generates HTML script elements containing cookie values. The root cause is incomplete output encoding (CWE-150) - the function escapes only double-quote characters for JavaScript string context but does not account for HTML parser-sensitive sequences like </script> that can prematurely close the script element. When a cookie value contains </script>, the HTML parser interprets this as the end of the script block regardless of JavaScript string context, allowing execution of injected HTML/JavaScript that follows. The fix employs base64-encoding of cookie values to eliminate any characters that could be misinterpreted by the HTML parser, ensuring the entire value is treated as opaque data within the script string.

RemediationAI

Upgrade CPython to version 3.15.0 or later to receive the vendor-released patch that base64-encodes cookie values in the http.cookies.Morsel.js_output() method (see https://github.com/python/cpython/pull/148848 and commit 76b3923d688c0efc580658476c5f525ec8735104). If immediate upgrade is not possible, the primary workaround is to avoid relying on http.cookies.Morsel.js_output() for generating script content; instead, use alternative cookie serialization methods that do not embed cookie values directly in HTML script elements. If cookie values must be embedded in JavaScript, manually apply base64-encoding or use a robust HTML/JavaScript escaping library (such as markupsafe or bleach) before passing values to Morsel.js_output(). This adds processing overhead but eliminates parser-sensitive sequence injection. A secondary control is to enforce Content Security Policy (CSP) headers that restrict inline script execution, mitigating the impact of injected script content, though this does not prevent the underlying escaping flaw and may break legitimate functionality.

CVE-2026-6100 CRITICAL
9.1 Apr 13

CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances a

CVE-2026-11972 HIGH
8.2 Jun 23

Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted

CVE-2026-9669 HIGH
8.2 Jun 08

Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sen

CVE-2026-11940 HIGH
7.8 Jun 23

Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filter

CVE-2026-4786 HIGH
7.0 Apr 13

Command injection in CPython's webbrowser.open() API bypasses previous CVE-2026-4519 mitigation via specially crafted UR

CVE-2026-4519 HIGH
7.0 Mar 20

The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-l

CVE-2026-7774 MEDIUM
6.9 Jun 04

Path traversal in CPython's tarfile module allows malicious tar archives to bypass the data_filter safety mechanism and

CVE-2026-7210 MEDIUM
6.3 May 11

XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flo

CVE-2026-3276 MEDIUM
6.3 Jun 03

Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions

CVE-2026-8328 MEDIUM
5.9 May 13

Server-Side Request Forgery in CPython's ftplib module allows a malicious FTP source server to redirect a target FTP ser

CVE-2026-12003 MEDIUM
5.3 Jun 16

Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a mor

CVE-2026-0864 MEDIUM
4.1 Jun 23

Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via con

Share

CVE-2026-6019 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy