PT-2026-34549 · Python · Python

Oolongeya

Published

2026-04-22

Updated

2026-06-12

CVE-2026-6019

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Python (affected versions not specified)

Description The js output() function in http.cookies.Morsel returns an inline within the generated script element, which could allow for script injection.

Recommendations As a temporary workaround, consider restricting the use of the js output() function until a patch is available. Base64-encode the cookie value to prevent escaping via the cookie value.

Exploit

Fix

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-116CWE-150

Related Identifiers

BIT-LIBPYTHON-2026-6019

BIT-PYTHON-2026-6019

BIT-PYTHON-MIN-2026-6019

CVE-2026-6019

ECHO-1E4C-228C-95EE

OESA-2026-2269

OESA-2026-2270

OESA-2026-2271

OPENSUSE-SU-2026:10647-1

OPENSUSE-SU-2026:10648-1

OPENSUSE-SU-2026:10667-1

PSF-2026-21

SUSE-SU-2026:2387-1

Affected Products

Python

PT-2026-34549 · Python · Python

CVE-2026-6019

Weakness Enumeration

Related Identifiers

Affected Products

References · 46