CVE-2026-6019 Python Software Foundation CVE debrief

Who should care

Organizations running Python web applications that use http.cookies.Morsel.js_output() to generate client-side cookie-setting scripts; security teams assessing HTML injection risks in legacy Python applications; developers maintaining applications with server-generated JavaScript cookie handling

Technical summary

The http.cookies.Morsel.js_output() method in Python's standard library generates JavaScript code for setting cookies in browser environments. The implementation escapes double quotes to protect JavaScript string context but does not escape HTML-sensitive sequences, specifically </script>. An attacker controlling cookie values can inject this sequence to terminate the script element prematurely, enabling arbitrary HTML injection into the document. The fix base64-encodes the cookie value, preventing the HTML parser from recognizing escape sequences within the encoded data. This vulnerability requires privileged access to cookie values and has limited impact due to the specific usage context of js_output().

Defensive priority

low

Recommended defensive actions

• Upgrade CPython to version 3.15.0 or later to obtain the base64-encoding mitigation for js_output()
• Audit applications using http.cookies.Morsel.js_output() for cookie value injection points
• Validate and sanitize cookie values before passing to js_output() if patching is not immediately feasible
• Review web application Content Security Policy to restrict inline script execution where possible
• Monitor python.org security-announce mailing list for related advisories

Evidence notes

Official CVE record published 2026-04-22; NVD analysis completed with vendor patches confirmed. Multiple commits address the escaping deficiency. Vendor advisory issued via python.org security-announce mailing list.

Official resources