HIGH🇬🇧 English

CVE-2026-35536

CVSS 7.2v3.1pub. 2026-04-03upd. 2026-04-10

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
  • Tornadoweb Tornado

    APP
    Tornadoweb
    < 6.5.5
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-31958HIGH8.7ten sam produkt

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, ...

CVE-2025-67725HIGH7.5ten sam produkt

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single m...

CVE-2025-67726HIGH7.5ten sam produkt

Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an ineffic...

CVE-2025-47287HIGH7.5ten sam produkt

Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` ...

CVE-2024-52804HIGH7.5ten sam produkt

Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP coo...