CVE-2026-31958 Tornado has a DoS due to too many multipart parts

🗓️ 11 Mar 2026 19:27:23Reported by GoogleType

osv🔗 osv.dev👁 1 Views

CVE-2026-31958 Tornado DoS from too many multipart parts prior to version 6.5.5 due to main-thread parsing.

Reporter	Title	Published	Views	Family All 206
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Monitor Component uses tornado-6.5.3-cp39-abi3-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl which is vulnerable to CVE-2026-31958	29 May 202608:42	–	ibm
ATTACKERKB	CVE-2026-31958	11 Mar 202619:27	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : python3-tornado (ALAS2023-2026-1502)	1 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : python3.13-tornado (ALAS2023-2026-1528)	1 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : python3-tornado, --advisory ALAS2-2026-3213 (ALAS-2026-3213)	1 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2 : python-tornado, --advisory ALAS2-2026-3214 (ALAS-2026-3214)	1 Apr 202600:00	–	nessus
Tenable Nessus	AlmaLinux 10 : python-tornado (ALSA-2026:13641)	6 May 202600:00	–	nessus
Tenable Nessus	AlmaLinux 9 : python-tornado (ALSA-2026:13670)	6 May 202600:00	–	nessus
Tenable Nessus	AlmaLinux 8 : pcs (ALSA-2026:8093)	16 Apr 202600:00	–	nessus
Tenable Nessus	Debian dla-4520 : python-tornado-doc - security update	1 Apr 202600:00	–	nessus

Source	Link
github	www.github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31958.json
github	www.github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-31958

06 Jun 2026 18:29Current

5.8Medium risk

Vulners AI Score5.8

CVSS 48.7

EPSS0.00028