CVE-2026-6019
Analyzed Analyzed - Analysis Complete
Cross-Site Scripting in Python http.cookies.Morsel.js_output

Publication date: 2026-04-22

Last updated on: 2026-05-28

Assigner: Python Software Foundation

Description
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-28
Generated
2026-06-16
AI Q&A
2026-04-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6019
EUVD
EUVD-2026-25079
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
python python to 3.15.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-6019 on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The vulnerability in CVE-2026-6019 exists in Python's http.cookies.Morsel.js_output() method, which generates an inline <script> snippet embedding cookie values for JavaScript use.

The method only escapes double quotes (") within the JavaScript string context but does not neutralize the HTML parser-sensitive sequence </script>. This allows an attacker to inject malicious HTML or JavaScript by prematurely terminating the script element.

The issue is mitigated by base64-encoding the cookie value before embedding it in the JavaScript, preventing malicious sequences from breaking out of the script context.

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks by allowing an attacker to inject malicious scripts into web pages through cookie values.

Such XSS attacks can compromise user data, hijack user sessions, or perform unauthorized actions on behalf of the user.

However, the vulnerability is considered low severity and requires specific conditions to be exploitable.

Mitigation Strategies

To mitigate this vulnerability, you should ensure that cookie values embedded in JavaScript are base64-encoded before insertion. This prevents malicious sequences like </script> from breaking out of the script context and causing HTML injection or cross-site scripting (XSS) attacks.

Specifically, update to the fixed version of Python where the http.cookies.Morsel.js_output() method has been modified to base64-encode cookie values. This fix was merged on April 22, 2026, and backported automatically to Python versions 3.13 and 3.14.

If you are using affected Python versions prior to these fixes, consider applying the patch from the official Python repository or upgrading to a patched version to prevent exploitation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the improper escaping of cookie values embedded in JavaScript via the http.cookies.Morsel.js_output() method, which can lead to HTML injection or XSS attacks.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline <script> snippets generated by this method and check if cookie values are properly Base64-encoded or if they contain unescaped sequences like </script>.

A practical approach is to capture HTTP traffic and search for suspicious cookie values embedded directly in JavaScript without Base64 encoding.

  • Use a network traffic capture tool like tcpdump or Wireshark to capture HTTP responses.
  • Run a command to filter HTTP responses containing inline <script> tags with cookie values, for example using grep:
  • tcpdump -A -s 0 'tcp port 80' | grep -i '<script'
  • Then inspect the output for cookie values embedded in JavaScript strings that are not Base64-encoded or contain the sequence </script>.
  • Alternatively, if you have access to the Python environment, review the usage of http.cookies.Morsel.js_output() in your codebase to verify if Base64 encoding is applied to cookie values before embedding.
Compliance Impact

The provided information does not specify any direct impact of CVE-2026-6019 on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the `http.cookies.Morsel.js_output()` method embedding cookie values directly into JavaScript without proper encoding, allowing HTML injection via sequences like </script>.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline JavaScript snippets generated by this method and check if cookie values are embedded without Base64 encoding.

A practical approach is to capture HTTP traffic and search for inline <script> elements containing cookie values that include suspicious sequences such as </script> or unescaped characters.

  • Use a network capture tool like tcpdump or Wireshark to capture HTTP responses.
  • Run a command to filter HTTP responses containing inline scripts with cookie values, for example using grep:
  • tcpdump -A -s 0 'tcp port 80' | grep -i '<script' -A 5 | grep -E '</script>|"'
  • Alternatively, if you have access to the Python environment, review the source code or logs to verify if the `js_output()` method is used without Base64 encoding.

Since the fix involves Base64 encoding cookie values before embedding, detecting unencoded cookie values in inline scripts is a key indicator of vulnerability.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-6019 on compliance with common standards and regulations such as GDPR or HIPAA.

Compliance Impact

The provided information does not specify how CVE-2026-6019 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the improper escaping of cookie values embedded in JavaScript via the http.cookies.Morsel.js_output() method, which can lead to HTML injection or XSS attacks.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline <script> elements generated by Python's http.cookies.Morsel.js_output() method and check if cookie values are embedded without Base64 encoding.

A practical approach is to capture HTTP traffic and search for suspicious cookie values inside script tags that contain unescaped sequences like </script>.

Example commands using common tools:

  • Using curl to fetch a page and grep for suspicious script tags with cookie values: curl -s http://targetsite | grep -Po '<script[^>]*>.*document\.cookie.*</script>'
  • Using tcpdump or Wireshark to capture HTTP traffic and filter for Set-Cookie headers or inline scripts containing cookie values.
  • Using grep or similar tools on server-side logs or source code to find usage of js_output() method or inline script generation with cookies.

Note that the vulnerability is mitigated by Base64 encoding cookie values before embedding them in JavaScript, so detection involves verifying whether Base64 encoding is applied.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the `http.cookies.Morsel.js_output()` method embedding cookie values directly into JavaScript without proper encoding, allowing HTML injection via sequences like </script>.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline JavaScript snippets generated by Python's `http.cookies.Morsel.js_output()` method and check if cookie values are embedded without Base64 encoding.

A practical approach is to capture HTTP traffic and search for inline script tags containing cookie values that include suspicious sequences such as </script> or unencoded special characters.

  • Use a network traffic capture tool like tcpdump or Wireshark to capture HTTP responses.
  • Run a command to extract HTTP response bodies and search for inline scripts with cookie values, for example using grep or similar tools.
  • Example command to capture HTTP traffic on port 80 and save to a file: `tcpdump -i any -s 0 -w capture.pcap port 80`
  • Example command to extract HTTP payloads and search for suspicious inline scripts: `tshark -r capture.pcap -Y 'http.response' -T fields -e http.file_data | grep -i '</script>'`
  • Alternatively, if you have access to the Python environment, review the source code or runtime behavior of `http.cookies.Morsel.js_output()` to verify if Base64 encoding is applied to cookie values.
Compliance Impact

The provided information does not specify any direct impact of CVE-2026-6019 on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the `http.cookies.Morsel.js_output()` method embedding cookie values directly into JavaScript without proper encoding, allowing HTML injection via sequences like </script>.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline JavaScript snippets generated by Python's `http.cookies.Morsel.js_output()` method and check if cookie values are embedded without Base64 encoding.

A practical approach is to capture HTTP traffic and search for inline script elements containing cookie values that include suspicious sequences such as </script> or unencoded special characters.

Example commands to detect potentially vulnerable outputs include:

  • Using curl and grep to fetch and inspect HTTP responses for suspicious inline scripts: `curl -s http://targetsite | grep -E '<script.*cookie.*</script>'`
  • Using a network traffic capture tool like tcpdump or Wireshark to capture HTTP responses and then searching for unencoded cookie values in inline scripts.
  • Using grep or similar tools on server-side source code or logs to find usage of `js_output()` method without Base64 encoding.

Note that the vulnerability was fixed by Base64-encoding cookie values before embedding them in JavaScript, so presence of raw cookie values in inline scripts is an indicator of vulnerability.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-6019 on compliance with common standards and regulations such as GDPR or HIPAA.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the `http.cookies.Morsel.js_output()` method embedding cookie values directly into JavaScript without proper encoding, allowing HTML injection via sequences like </script>.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline JavaScript snippets generated by Python's `http.cookies.Morsel.js_output()` method and check if cookie values are embedded without Base64 encoding.

A practical approach is to capture HTTP traffic and search for inline script tags containing cookie values that include suspicious sequences such as </script> or unescaped quotes.

Example commands to help detect this vulnerability include:

  • Using curl and grep to fetch and inspect HTTP responses for suspicious cookie embedding patterns: `curl -s http://targetsite | grep -E '<script.*cookie.*(</script>|"|\')'`
  • Using a network packet capture tool like tcpdump or Wireshark to capture HTTP traffic and filter for responses containing inline scripts with cookie values.
  • Manually reviewing source code or logs of Python applications using `http.cookies.Morsel.js_output()` to verify if Base64 encoding is applied to cookie values.
Compliance Impact

The provided information does not specify any direct impact of CVE-2026-6019 on compliance with common standards and regulations such as GDPR or HIPAA.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-6019 on compliance with common standards and regulations such as GDPR or HIPAA.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-6019 on compliance with common standards and regulations such as GDPR or HIPAA.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-6019 on compliance with common standards and regulations such as GDPR or HIPAA.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the improper escaping of cookie values embedded in JavaScript via the http.cookies.Morsel.js_output() method, which can lead to HTML injection or XSS attacks.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline <script> snippets generated by the vulnerable js_output() method and check if cookie values are properly Base64-encoded.

Specifically, look for cookie values embedded directly in JavaScript without Base64 encoding, especially if sequences like </script> appear unescaped within the script context.

Suggested commands to help detect this include:

  • Using curl or wget to fetch HTTP responses and grep to search for suspicious cookie embeddings:
  • curl -i http://yourserver/path | grep -E '<script.*>.*document\.cookie.*</script>'
  • curl -i http://yourserver/path | grep -E '</script>'
  • Inspect cookies in browser developer tools to see if cookie values are Base64-encoded or contain suspicious characters.
  • Use network traffic inspection tools like Wireshark or Burp Suite to analyze HTTP responses for inline scripts embedding cookie values without proper encoding.
Detection Guidance

This vulnerability involves the `http.cookies.Morsel.js_output()` method embedding cookie values directly into JavaScript without proper encoding, which can lead to HTML injection if the cookie value contains sequences like </script>.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline JavaScript snippets generated by this method and check if cookie values are embedded without Base64 encoding.

One approach is to capture HTTP traffic and search for inline script tags containing cookie values that include suspicious sequences such as </script> or unescaped double quotes.

Example commands using common tools:

  • Using curl to fetch a page and grep for suspicious inline scripts: curl -s http://yourserver | grep -E '<script.*cookie.*</script>'
  • Using tcpdump or tshark to capture HTTP traffic and filter for script tags with cookie values: tshark -Y 'http contains "<script" and http contains "cookie"' -T fields -e http.file_data
  • Manually inspecting the JavaScript output in the HTTP response for unencoded cookie values or sequences like </script> that could break out of the script context.

Note that the vulnerability is mitigated by Base64 encoding cookie values before embedding them in JavaScript, so properly encoded cookie values indicate the fix is applied.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-6019 on compliance with common standards and regulations such as GDPR or HIPAA.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-6019 on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the `http.cookies.Morsel.js_output()` method embedding cookie values directly into JavaScript without proper encoding, allowing HTML injection via sequences like </script>.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline JavaScript snippets generated by Python's `http.cookies.Morsel.js_output()` method and check if cookie values are embedded without Base64 encoding.

A practical approach is to capture HTTP traffic and search for inline script tags containing cookie values that include suspicious sequences such as </script> or unencoded special characters.

Example commands to help detect this vulnerability include:

  • Using curl and grep to fetch and inspect HTTP responses for suspicious inline scripts: `curl -s http://targetsite | grep -E '<script.*cookie.*</script>'`
  • Using a network packet capture tool like tcpdump or Wireshark to capture HTTP traffic and filter for scripts containing cookie values.
  • Using grep or similar tools on server-side logs or source code to identify usage of `js_output()` method without Base64 encoding.

Since the vulnerability is fixed by Base64 encoding cookie values, checking if cookie values are Base64 encoded in the JavaScript context is a key indicator of whether the vulnerability is present.

Detection Guidance

This vulnerability involves the `http.cookies.Morsel.js_output()` method embedding cookie values directly into JavaScript without proper encoding, allowing HTML injection via sequences like </script>.

To detect this vulnerability on your system or network, you can inspect HTTP responses that include inline JavaScript snippets generated by this method and check if cookie values are embedded without Base64 encoding.

A practical approach is to capture HTTP traffic and search for inline script elements containing cookie values that include the sequence </script> or other suspicious characters that are not Base64-encoded.

  • Use a network traffic capture tool like tcpdump or Wireshark to capture HTTP responses.
  • Run a command to filter HTTP responses containing inline scripts with cookie values, for example using grep on saved HTTP response files:
  • grep -i -r --include='*.html' '<script' /path/to/http/responses | grep -E '</script>|"'
  • Alternatively, use curl or wget to fetch pages from your web application and inspect the inline scripts for unencoded cookie values.
  • Check your Python environment for the version of CPython and whether the fix (Base64 encoding in js_output()) has been applied, by reviewing the source code in Lib/http/cookies.py or the changelog.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6019. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart