Medium severity6.1NVD Advisory· Published Apr 22, 2026· Updated May 28, 2026
CVE-2026-6019
CVE-2026-6019
Description
http.cookies.Morsel.js_output() returns an inline inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
32(expand)+ 1 more
- (no CPE)
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*range: <3.15.0
- osv-coords30 versionspkg:apk/chainguard/python-3.13pkg:apk/chainguard/python-3.14pkg:apk/wolfi/python-3.13pkg:apk/wolfi/python-3.14pkg:bitnami/libpythonpkg:bitnami/pythonpkg:bitnami/python-minpkg:rpm/almalinux/python3.14pkg:rpm/almalinux/python3.14-debugpkg:rpm/almalinux/python3.14-develpkg:rpm/almalinux/python3.14-freethreadingpkg:rpm/almalinux/python3.14-freethreading-debugpkg:rpm/almalinux/python3.14-freethreading-develpkg:rpm/almalinux/python3.14-freethreading-idlepkg:rpm/almalinux/python3.14-freethreading-libspkg:rpm/almalinux/python3.14-freethreading-testpkg:rpm/almalinux/python3.14-freethreading-tkinterpkg:rpm/almalinux/python3.14-idlepkg:rpm/almalinux/python3.14-libspkg:rpm/almalinux/python3.14-testpkg:rpm/almalinux/python3.14-tkinterpkg:rpm/opensuse/python310&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python311&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python312&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python313&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python315&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python313-core&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/python313&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/python-base&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/python&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7
< 3.13.13-r3+ 29 more
- (no CPE)range: < 3.13.13-r3
- (no CPE)range: < 3.14.4-r4
- (no CPE)range: < 3.13.13-r3
- (no CPE)range: < 3.14.4-r4
- (no CPE)range: < 3.13.14
- (no CPE)range: < 3.13.14
- (no CPE)range: < 3.13.14
- (no CPE)range: < 3.14.5-1.el9_8
- (no CPE)range: < 3.14.5-1.el9_8
- (no CPE)range: < 3.14.5-1.el9_8
- (no CPE)range: < 3.14.5-1.el9_8
- (no CPE)range: < 3.14.5-1.el9_8
- (no CPE)range: < 3.14.5-1.el9_8
- (no CPE)range: < 3.14.5-1.el9_8
- (no CPE)range: < 3.14.5-1.el9_8
- (no CPE)range: < 3.14.5-1.el9_8
- (no CPE)range: < 3.14.5-1.el9_8
- (no CPE)range: < 3.14.5-1.el9_8
- (no CPE)range: < 3.14.5-1.el9_8
- (no CPE)range: < 3.14.5-1.el9_8
- (no CPE)range: < 3.14.5-1.el9_8
- (no CPE)range: < 3.10.20-6.1
- (no CPE)range: < 3.11.15-6.1
- (no CPE)range: < 3.12.13-6.1
- (no CPE)range: < 3.13.13-2.1
- (no CPE)range: < 3.15.0~a8-3.1
- (no CPE)range: < 3.13.13-150700.4.50.1
- (no CPE)range: < 3.13.13-150700.4.50.1
- (no CPE)range: < 2.7.18-150000.120.1
- (no CPE)range: < 2.7.18-150000.120.1
Patches
Vulnerability mechanics
References
6- github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76cnvdPatch
- github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104nvdPatch
- github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8nvdPatch
- github.com/python/cpython/pull/148848nvdIssue TrackingPatch
- github.com/python/cpython/issues/90309nvdExploitIssue Tracking
- mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3/nvdMailing ListVendor Advisory
News mentions
0No linked articles in our index yet.