CVE-2026-6019

Vendor	Product	Version / Range
python	cpython	3.10
python	cpython	3.11
python	cpython	3.12
python	cpython	3.13
python	cpython	3.14

CWE ID	Description
CWE-150	The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the improper escaping of cookie values embedded in JavaScript via the http.cookies.Morsel.js_output() method, which can lead to HTML injection or XSS attacks.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline <script> elements generated by Python's http.cookies.Morsel.js_output() method and check if cookie values are embedded without Base64 encoding.

A practical approach is to capture HTTP traffic and search for suspicious cookie values inside script tags that contain unescaped sequences like </script>.

Example commands using common tools:

Using curl to fetch a page and grep for suspicious script tags with cookie values: curl -s http://targetsite | grep -Po '<script[^>]*>.*document\.cookie.*</script>'
Using tcpdump or Wireshark to capture HTTP traffic and filter for Set-Cookie headers or inline scripts containing cookie values.
Using grep or similar tools on server-side logs or source code to find usage of js_output() method or inline script generation with cookies.

Note that the vulnerability is mitigated by Base64 encoding cookie values before embedding them in JavaScript, so detection involves verifying whether Base64 encoding is applied.

Can you explain this vulnerability to me?

The vulnerability in CVE-2026-6019 exists in Python's http.cookies.Morsel.js_output() method, which generates an inline <script> snippet embedding cookie values for JavaScript use.

The method only escapes double quotes (") within the JavaScript string context but does not neutralize the HTML parser-sensitive sequence </script>. This allows an attacker to inject malicious HTML or JavaScript by prematurely terminating the script element.

The issue is mitigated by base64-encoding the cookie value before embedding it in the JavaScript, preventing malicious sequences from breaking out of the script context.

How can this vulnerability impact me? :

This vulnerability can lead to cross-site scripting (XSS) attacks by allowing an attacker to inject malicious scripts into web pages through cookie values.

Such XSS attacks can compromise user data, hijack user sessions, or perform unauthorized actions on behalf of the user.

However, the vulnerability is considered low severity and requires specific conditions to be exploitable.

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should ensure that cookie values embedded in JavaScript are base64-encoded before insertion. This prevents malicious sequences like </script> from breaking out of the script context and causing HTML injection or cross-site scripting (XSS) attacks.

Specifically, update to the fixed version of Python where the http.cookies.Morsel.js_output() method has been modified to base64-encode cookie values. This fix was merged on April 22, 2026, and backported automatically to Python versions 3.13 and 3.14.

If you are using affected Python versions prior to these fixes, consider applying the patch from the official Python repository or upgrading to a patched version to prevent exploitation.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the improper escaping of cookie values embedded in JavaScript via the http.cookies.Morsel.js_output() method, which can lead to HTML injection or XSS attacks.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline <script> snippets generated by this method and check if cookie values are properly Base64-encoded or if they contain unescaped sequences like </script>.

A practical approach is to capture HTTP traffic and search for suspicious cookie values embedded directly in JavaScript without Base64 encoding.

Use a network traffic capture tool like tcpdump or Wireshark to capture HTTP responses.
Run a command to filter HTTP responses containing inline <script> tags with cookie values, for example using grep:
tcpdump -A -s 0 'tcp port 80' | grep -i '<script'
Then inspect the output for cookie values embedded in JavaScript strings that are not Base64-encoded or contain the sequence </script>.
Alternatively, if you have access to the Python environment, review the usage of http.cookies.Morsel.js_output() in your codebase to verify if Base64 encoding is applied to cookie values before embedding.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of CVE-2026-6019 on compliance with common standards and regulations such as GDPR or HIPAA.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the `http.cookies.Morsel.js_output()` method embedding cookie values directly into JavaScript without proper encoding, allowing HTML injection via sequences like </script>.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline JavaScript snippets generated by this method and check if cookie values are embedded without Base64 encoding.

A practical approach is to capture HTTP traffic and search for inline <script> elements containing cookie values that include suspicious sequences such as </script> or unescaped characters.

Use a network capture tool like tcpdump or Wireshark to capture HTTP responses.
Run a command to filter HTTP responses containing inline scripts with cookie values, for example using grep:
tcpdump -A -s 0 'tcp port 80' | grep -i '<script' -A 5 | grep -E '</script>|"'
Alternatively, if you have access to the Python environment, review the source code or logs to verify if the `js_output()` method is used without Base64 encoding.

Since the fix involves Base64 encoding cookie values before embedding, detecting unencoded cookie values in inline scripts is a key indicator of vulnerability.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how CVE-2026-6019 affects compliance with common standards and regulations such as GDPR or HIPAA.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of CVE-2026-6019 on compliance with common standards and regulations such as GDPR or HIPAA.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the `http.cookies.Morsel.js_output()` method embedding cookie values directly into JavaScript without proper encoding, which can lead to HTML injection if the cookie value contains sequences like </script>.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline JavaScript snippets generated by this method and check if cookie values are embedded without Base64 encoding.

One approach is to capture HTTP traffic and search for inline script tags containing cookie values that include suspicious sequences such as </script> or unescaped double quotes.

Example commands using common tools:

Using curl to fetch a page and grep for suspicious inline scripts: curl -s http://yourserver | grep -E '<script.*cookie.*</script>'
Using tcpdump or tshark to capture HTTP traffic and filter for script tags with cookie values: tshark -Y 'http contains "<script" and http contains "cookie"' -T fields -e http.file_data
Manually inspecting the JavaScript output in the HTTP response for unencoded cookie values or sequences like </script> that could break out of the script context.

Note that the vulnerability is mitigated by Base64 encoding cookie values before embedding them in JavaScript, so properly encoded cookie values indicate the fix is applied.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the `http.cookies.Morsel.js_output()` method embedding cookie values directly into JavaScript without proper encoding, allowing HTML injection via sequences like </script>.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline JavaScript snippets generated by Python's `http.cookies.Morsel.js_output()` method and check if cookie values are embedded without Base64 encoding.

A practical approach is to capture HTTP traffic and search for inline script tags containing cookie values that include suspicious sequences such as </script> or unencoded special characters.

Use a network traffic capture tool like tcpdump or Wireshark to capture HTTP responses.
Run a command to extract HTTP response bodies and search for inline scripts with cookie values, for example using grep or similar tools.
Example command to capture HTTP traffic on port 80 and save to a file: `tcpdump -i any -s 0 -w capture.pcap port 80`
Example command to extract HTTP payloads and search for suspicious inline scripts: `tshark -r capture.pcap -Y 'http.response' -T fields -e http.file_data | grep -i '</script>'`
Alternatively, if you have access to the Python environment, review the source code or runtime behavior of `http.cookies.Morsel.js_output()` to verify if Base64 encoding is applied to cookie values.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of CVE-2026-6019 on compliance with common standards and regulations such as GDPR or HIPAA.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the `http.cookies.Morsel.js_output()` method embedding cookie values directly into JavaScript without proper encoding, allowing HTML injection via sequences like </script>.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline JavaScript snippets generated by Python's `http.cookies.Morsel.js_output()` method and check if cookie values are embedded without Base64 encoding.

A practical approach is to capture HTTP traffic and search for inline script elements containing cookie values that include suspicious sequences such as </script> or unencoded special characters.

Example commands to detect potentially vulnerable outputs include:

Using curl and grep to fetch and inspect HTTP responses for suspicious inline scripts: `curl -s http://targetsite | grep -E '<script.*cookie.*</script>'`
Using a network traffic capture tool like tcpdump or Wireshark to capture HTTP responses and then searching for unencoded cookie values in inline scripts.
Using grep or similar tools on server-side source code or logs to find usage of `js_output()` method without Base64 encoding.

Note that the vulnerability was fixed by Base64-encoding cookie values before embedding them in JavaScript, so presence of raw cookie values in inline scripts is an indicator of vulnerability.