Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
AnalysisAI
CPython's http.cookies.Morsel.js_output() method generates inline script snippets that fail to neutralize the HTML parser-sensitive sequence </script>, allowing attackers with high privilege levels to inject arbitrary JavaScript by crafting malicious cookie values. While the method escapes double quotes for JavaScript string context, it does not prevent premature termination of the script element through </script> injection, resulting in limited information disclosure. The vendor has released patches addressing this inadequate escaping mechanism through base64-encoding of cookie values.
Technical ContextAI
The vulnerability resides in Python's standard library http.cookies module, specifically the Morsel.js_output() method which generates HTML script elements containing cookie values. The root cause is incomplete output encoding (CWE-150) - the function escapes only double-quote characters for JavaScript string context but does not account for HTML parser-sensitive sequences like </script> that can prematurely close the script element. When a cookie value contains </script>, the HTML parser interprets this as the end of the script block regardless of JavaScript string context, allowing execution of injected HTML/JavaScript that follows. The fix employs base64-encoding of cookie values to eliminate any characters that could be misinterpreted by the HTML parser, ensuring the entire value is treated as opaque data within the script string.
RemediationAI
Upgrade CPython to version 3.15.0 or later to receive the vendor-released patch that base64-encodes cookie values in the http.cookies.Morsel.js_output() method (see https://github.com/python/cpython/pull/148848 and commit 76b3923d688c0efc580658476c5f525ec8735104). If immediate upgrade is not possible, the primary workaround is to avoid relying on http.cookies.Morsel.js_output() for generating script content; instead, use alternative cookie serialization methods that do not embed cookie values directly in HTML script elements. If cookie values must be embedded in JavaScript, manually apply base64-encoding or use a robust HTML/JavaScript escaping library (such as markupsafe or bleach) before passing values to Morsel.js_output(). This adds processing overhead but eliminates parser-sensitive sequence injection. A secondary control is to enforce Content Security Policy (CSP) headers that restrict inline script execution, mitigating the impact of injected script content, though this does not prevent the underlying escaping flaw and may break legitimate functionality.
CPython decompression modules (lzma, bz2, gzip) allow memory corruption via use-after-free when decompressor instances a
Denial of service in CPython's tarfile module allows remote attackers to trigger an infinite loop by supplying a crafted
Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sen
Path traversal in CPython's tarfile module allows a crafted tar archive to bypass the 'data' and 'tar' extraction filter
Command injection in CPython's webbrowser.open() API bypasses previous CVE-2026-4519 mitigation via specially crafted UR
The webbrowser.open() API in CPython accepts URLs with leading dashes, which certain web browsers interpret as command-l
Path traversal in CPython's tarfile module allows malicious tar archives to bypass the data_filter safety mechanism and
XML parsers in CPython's xml.parsers.expat and xml.etree.ElementTree modules use insufficient entropy for Expat hash-flo
Denial-of-service via quadratic algorithmic complexity in CPython's unicodedata.normalize() affects all CPython versions
Server-Side Request Forgery in CPython's ftplib module allows a malicious FTP source server to redirect a target FTP ser
Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a mor
Config file injection in CPython's configparser module allows an attacker who controls multi-line values written via con
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25079