What is GHSA-2755-2mm4-rm5c?

GHSA-2755-2mm4-rm5c is a security advisory published by GitHub Security Advisories with Low severity. http.cookies.Morsel.js_output() returns an inline \u003cscript\u003e snippet and only escapes " for...

Which CVE IDs does GHSA-2755-2mm4-rm5c cover?

GHSA-2755-2mm4-rm5c covers the following CVE IDs: CVE-2026-6019. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-2755-2mm4-rm5c?

GHSA-2755-2mm4-rm5c has a CVSS v3 base score of 6.1, published by GitHub Security Advisories.

GHSA-2755-2mm4-rm5cLowCVSS 6.1

http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for...

Vendor

GitHub Security Advisories

Published

April 22, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-6019 →

📋 Description

http.cookies.Morsel.js_output() returns an inline snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

🔗 References (8)

https://nvd.nist.gov/vuln/detail/CVE-2026-6019
https://github.com/python/cpython/issues/90309
https://github.com/python/cpython/pull/148848
https://github.com/python/cpython/commit/76b3923d688c0efc580658476c5f525ec8735104
https://mail.python.org/archives/list/security-announce@python.org/thread/IVNWGV2BBNC3RHQAFS22UP4DY56SAXX3
https://github.com/python/cpython/commit/3c59b8b53fc75c7f9578d16fb8201ceb43e8f76c
https://github.com/python/cpython/commit/f795e042043dfe26c42e1971d4502c1cdc4c65b8
https://github.com/advisories/GHSA-2755-2mm4-rm5c