Improper Encoding or Escaping of Output Affecting python313-base package, versions <3.13.13-150700.4.50.1


Severity

Recommended
0.0
low
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.23% (14th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SLES157-PYTHON313BASE-17389930
  • published20 Jun 2026
  • disclosed19 Jun 2026

Introduced: 19 Jun 2026

NewCVE-2026-6019  (opens in a new tab)
CWE-116  (opens in a new tab)

How to fix?

Upgrade SLES:15.7 python313-base to version 3.13.13-150700.4.50.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream python313-base package and not the python313-base package as distributed by SLES. See How to fix? for SLES:15.7 relevant fixed versions and status.

http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

CVSS Base Scores

version 3.1