CVE-2026-6019— BaseCookie.js_output() does not neutralize embedded characters
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-6019
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
BaseCookie.js_output() does not neutralize embedded characters
Source: NVD (National Vulnerability Database)
Vulnerability Description
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
转义、元或控制序列转义处理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
CPython 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
CPython是Python基金会的一个用C语言实现的Python解释器。 CPython存在安全漏洞,该漏洞源于http.cookies.Morsel.js_output返回内联script片段且仅转义双引号,未对生成的script元素内的HTML解析器敏感序列script进行中和。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Python Software Foundation | CPython | 0 ~ 3.15.0 | - |
II. Public POCs for CVE-2026-6019
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-6019
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: CPython
- CVE-2026-3087
shutil.unpack_archive() doesn't check for Windows absolute p - CVE-2026-3298
Out-of-bounds write in Windows asyncio.ProacterEventLoop.soc - CVE-2026-5713
Out-of-bounds read/write during remote profiling and asyncio - CVE-2026-4786
Incomplete mitigation of CVE-2026-4519, %action expansion fo - CVE-2026-6100
Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor
Same vendor: Python Software Foundation
- CVE-2026-3087
shutil.unpack_archive() doesn't check for Windows absolute p - CVE-2026-3298
Out-of-bounds write in Windows asyncio.ProacterEventLoop.soc - CVE-2026-5713
Out-of-bounds read/write during remote profiling and asyncio - CVE-2026-4786
Incomplete mitigation of CVE-2026-4519, %action expansion fo - CVE-2026-6100
Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor
Same weakness: CWE-150
- CVE-2026-41526
KCoreAddons 安全漏洞 - CVE-2026-40505
MuPDF < 1.27 mutool ANSI Injection via Metadata - CVE-2026-26149
Microsoft Power Apps Desktop Client Spoofing Vulnerability - CVE-2026-35651
OpenClaw 2026.2.13 < 2026.3.25 - ANSI Escape Sequence Inject - CVE-2026-3108
Terminal Escape Injection in mmctl Report Posts Command
V. Comments for CVE-2026-6019
No comments yet