CVE-2026-6019 Overview
A script injection vulnerability exists in Python's http.cookies.Morsel.js_output() method. The function generates an inline <script> snippet for setting cookies via JavaScript but only escapes double quotes (") for JavaScript string context. It fails to neutralize the HTML parser-sensitive sequence </script> inside the generated script element, potentially allowing attackers to inject malicious HTML/JavaScript content through crafted cookie values.
Critical Impact
Attackers who can control cookie values may be able to break out of the JavaScript context and inject arbitrary HTML or script content, leading to potential Cross-Site Scripting (XSS) attacks.
Affected Products
- Python CPython - http.cookies module
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-6019 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-6019
Vulnerability Analysis
The vulnerability stems from insufficient output encoding in the js_output() method of the http.cookies.Morsel class. When generating JavaScript code to set cookies, the method creates an inline <script> element containing a document.cookie assignment. While the implementation escapes double quotes to prevent JavaScript string escaping, it does not account for HTML parser behavior.
Specifically, if a cookie value contains the sequence </script>, the HTML parser will interpret this as the end of the script element, regardless of whether it appears within a JavaScript string. This allows an attacker who can control cookie values to prematurely close the script tag and inject arbitrary HTML content, including malicious scripts.
This vulnerability falls under CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences), as the function fails to properly handle sequences that have special meaning in the HTML parsing context.
Root Cause
The root cause is the dual-context nature of inline scripts in HTML. The js_output() method only considered JavaScript string escaping (escaping double quotes) but failed to account for the HTML parsing layer that processes the script element first. The HTML parser looks for </script> to close the script element before JavaScript parsing occurs, creating an injection vector.
Attack Vector
An attacker can exploit this vulnerability by crafting a cookie value containing </script> followed by malicious HTML or JavaScript. When the js_output() method renders this value into an HTML page, the HTML parser will:
- Encounter the </script> sequence within the cookie value
- Interpret it as closing the legitimate script element
- Parse the subsequent attacker-controlled content as HTML/JavaScript
This is a network-accessible vulnerability requiring high privileges to exploit, as the attacker must be able to influence cookie values that are subsequently rendered using js_output().
The following patch shows how Python addressed this vulnerability by base64-encoding cookie values:
return '<%s: %s>' % (self.__class__.__name__, self.OutputString())
def js_output(self, attrs=None):
+ import base64
# Print javascript
output_string = self.OutputString(attrs)
if _has_control_character(output_string):
raise CookieError("Control characters are not allowed in cookies")
+ # Base64-encode value to avoid template
+ # injection in cookie values.
+ output_encoded = base64.b64encode(output_string.encode('utf-8')).decode("ascii")
return """
<script type="text/javascript">
<!-- begin hiding
- document.cookie = \"%s\";
+ document.cookie = atob(\"%s\");
// end hiding -->
</script>
- """ % (output_string.replace('"', r'\"'))
+ """ % (output_encoded,)
def OutputString(self, attrs=None):
# Build up our result
Source: GitHub Commit Changes
Detection Methods for CVE-2026-6019
Indicators of Compromise
- Unusual cookie values containing HTML-like sequences such as </script>, <script>, or other HTML tags
- Web application logs showing cookie values with embedded HTML/JavaScript content
- Client-side monitoring detecting unexpected script injections or DOM modifications
Detection Strategies
- Implement input validation to detect and reject cookie values containing </script> or similar HTML-sensitive sequences
- Use Content Security Policy (CSP) headers to detect and prevent execution of injected scripts
- Deploy web application firewalls (WAF) with rules to identify script injection attempts in cookie parameters
Monitoring Recommendations
- Monitor application logs for anomalous cookie values, particularly those containing angle brackets or script-related strings
- Enable CSP violation reporting to detect attempted script injections
- Review code for usage of http.cookies.Morsel.js_output() method and assess exposure
How to Mitigate CVE-2026-6019
Immediate Actions Required
- Update Python to the latest patched version that includes the base64-encoding fix for js_output()
- Audit application code for usage of http.cookies.BaseCookie.js_output() or http.cookies.Morsel.js_output()
- Implement Content Security Policy headers to mitigate potential XSS impact
- Validate and sanitize any user-controlled data that may influence cookie values
Patch Information
The Python development team has released a security patch that modifies the js_output() method to base64-encode cookie values before embedding them in JavaScript. The fix uses base64.b64encode() on the server side and atob() on the client side to decode the value, completely eliminating the possibility of HTML injection through cookie values.
For more details, see the GitHub Pull Request Review and Python Security Mailing Archive.
Workarounds
- Avoid using js_output() method entirely; instead, set cookies via HTTP headers using Set-Cookie
- If js_output() must be used, manually base64-encode cookie values before passing them to the method
- Implement server-side validation to reject cookie values containing potentially dangerous sequences like </script>
# Check Python version and update to patched release
python --version
# Update Python using your package manager
# For pip-based environments, ensure you're using a patched Python interpreter
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
