NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-6019

Summary	http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
Publication Date	April 23, 2026, 5:16 a.m.
Registration Date	April 25, 2026, 4:06 a.m.
Last Update	April 23, 2026, 6:23 a.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104	cna@python.org
2	https://github.com/python/cpython/issues/90309	cna@python.org
3	https://github.com/python/cpython/pull/148848	cna@python.org
4	https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/	cna@python.org

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-150	エスケープ、メタ、またはコントロールシーケンスの不適切な無効化	https://cwe.mitre.org/data/definitions/150.html