Disclosed
CVE-2026-6019
http.cookies.Morsel.js_output() returns an inline snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.
Exploitation Probability (EPSS)
Low Priority0.03%
The Exploit Prediction Scoring System (EPSS) uses machine learning to estimate the probability that a vulnerability will be exploited in the wild within the next 30 days.
0% (Theoretical)100% (Certainty)
7-Day Exploitation Trend
Vulnerability Timeline
2 eventsApr 22, 2026
Vulnerability Disclosed
Published to component-level vulnerability database.
Apr 29, 2026
Last Updated
Record updated with new analysis or tags.
Threat Actor Attribution
PREMIUM INTELAssociated Groups:Lazarus Group, APT28
Ransomware Campaigns:LockBit 3.0, BlackCat
IoCs (Indicators):14 IPs, 3 Hashes
Remediation & Mitigation
SOLUTIONOfficial patches and mitigation steps are available for this vulnerability.
# Update Command
apt-get update && apt-get upgrade -y specific-package
# Verify installation
dpkg -l | grep package-name
apt-get update && apt-get upgrade -y specific-package
# Verify installation
dpkg -l | grep package-name
References
https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76cGitHub
https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104GitHub
https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8GitHub
https://github.com/python/cpython/issues/90309GitHub
Am I Vulnerable?
Check your domain or package.json for CVE-2026-6019 exposure.
Vulnerability Details
CVSS Base Score
N/A/ 10
Published Date
Apr 22, 2026
Last Modified
Apr 29, 2026
Need Manual Validation?
Automated scanners flag false positives. Get a manual pentest validation for this CVE.