In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NTornadoweb Tornado
APPTornadoweb< 6.5.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
Related vulnerabilities
CVE-2026-31958HIGH8.7ten sam produkt
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, ...
CVE-2025-67725HIGH7.5ten sam produkt
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single m...
CVE-2025-67726HIGH7.5ten sam produkt
Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an ineffic...
CVE-2025-47287HIGH7.5ten sam produkt
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` ...
CVE-2024-52804HIGH7.5ten sam produkt
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP coo...