CVE-2026-6019

EPSS 0.06%
Veröffentlicht 22.04.2026 19:28:08
Zuletzt bearbeitet 29.04.2026 16:16:28
Quelle cna@python.org
CVE-Watchlists
Login
Unerledigt
Login

BaseCookie.js_output() does not neutralize embedded characters

http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerPython Software Foundation

≫

Produkt CPython

Default Statusunaffected

Version 0

Version < 3.15.0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.187

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@python.org	2.1	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

https://github.com/python/cpython/pull/148848

https://github.com/python/cpython/issues/90309

https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/

https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104

https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c

https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8

https://nvd.nist.gov/vuln/detail/CVE-2026-6019

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-6019

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-6019

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-6019