CVE-2026-6019
CVE-2026-6019 is a medium-severity vulnerability in Python with a CVSS 3.x base score of 6.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-116.
Key facts
- Severity: Medium (CVSS 3.x base score 6.1)
- CVSS v4: 2.1
- EPSS exploit prediction: 0% (14th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-25079
- Weakness: CWE-116
- Affected product: Python
- Published:
- Last modified:
Description
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
Frequently asked questions
- What is CVE-2026-6019?
- http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
- How severe is CVE-2026-6019?
- CVE-2026-6019 has a CVSS 3.x base score of 6.1, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2026-6019 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (14th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-6019?
- CVE-2026-6019 affects Python. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-6019?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-6019 have an EU (EUVD) identifier?
- Yes. CVE-2026-6019 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-25079.
- When was CVE-2026-6019 published?
- CVE-2026-6019 was published on 2026-04-22 and last updated on 2026-06-17.
References
- https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c
- https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104
- https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8
- https://github.com/python/cpython/issues/90309
- https://github.com/python/cpython/pull/148848
- https://mail.python.org/archives/list/[email protected]/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/
Affected products (1)
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
More vulnerabilities in Python
- CVE-2008-5031 — Critical (CVSS 10.0): Multiple integer overflows in Python 2.2.3 through 2.5.1, and 2.6, allow context-dependent attackers to have an unknown…
- CVE-2022-48565 — Critical (CVSS 9.8): An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity…
- CVE-2022-37454 — Critical (CVSS 9.8): The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow…
- CVE-2021-29921 — Critical (CVSS 9.8): In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string.…
- CVE-2021-3177 — Critical (CVSS 9.8): Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code…
- CVE-2020-27619 — Critical (CVSS 9.8): In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via…
Other CWE-116 vulnerabilities
- CVE-2025-55730 — Critical (CVSS 10.0): XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in…
- CVE-2025-55729 — Critical (CVSS 10.0): XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Starting in…
- CVE-2023-47143 — Critical (CVSS 10.0): IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 is vulnerable to HTTP header injection,…
- CVE-2023-26472 — Critical (CVSS 9.9): XWiki Platform is a generic wiki platform. Starting in version 6.2-milestone-1, one can execute any wiki content with…
- CVE-2022-41934 — Critical (CVSS 9.9): XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with…
- CVE-2022-36100 — Critical (CVSS 9.9): XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic wiki platform.…
Browse all CWE-116 vulnerabilities →
Threat intelligence
Threat-intel indicators referencing this CVE:
- 41.63.62.103 (ipv4-addr)
- 203.192.232.180 (ipv4-addr)
- 149.86.233.213 (ipv4-addr)
- 141.109.168.26 (ipv4-addr)
- 141.109.168.107 (ipv4-addr)
- 125.212.235.194 (ipv4-addr)
- 120.28.109.188 (ipv4-addr)
- 103.61.123.132 (ipv4-addr)