LOW
Python Software Foundation
CVE published 2026-04-22
CVE-2026-6019
A vulnerability in Python's http.cookies.Morsel.js_output() method allows HTML injection through insufficient escaping. The method generates an inline <script> element containing cookie data, escaping only double quotes for JavaScript string safety but failing to neutralize the </script> sequence. This permits an attacker with control over cookie values to prematurely close the script element and inject a [truncated]