127 matches found
PT-2026-29974
Name of the Vulnerable Software and Affected Versions Tornado versions prior to 6.5.5 Description Prior to version 6.5.5, Tornado is susceptible to cookie attribute injection due to insufficient validation of the domain, path, and samesite arguments when setting cookies using .RequestHandler.set...
Tornado 安全漏洞
Tornado is a Python web framework and asynchronous networking library from Tornado China. This library can scale to thousands of open connections by using non-blocking network I/O, making it ideal for applications that require long-term polling, WebSocket, and other scenarios where long-term...
SUSE-SU-2026:1162-1 Security update for python-tornado
This update for python-tornado fixes the following issues: - CVE-2025-67724: missing validation of the supplied reason phrase bsc1254903. - CVE-2025-67725: Denial of Service DoS via maliciously crafted HTTP request caused by the HTTPHeaders.add method bsc1254905. - CVE-2026-31958: parsing large...
Security update for python-tornado6 (important)
openSUSE security update: security update for python-tornado6 ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20406-1 Rating: important References: bsc1259553 bsc1259630 Cross-References: CVE-2026-31958 CVSS scores: CVE-2026-31958 SUSE : 7.5...
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-tornado6 (SUSE-SU-2026:1064-1)
The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2026:1064-1 advisory. - CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service bsc1259553...
CVE-2026-32745
In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings...
Security update for python-tornado6
This update for python-tornado6 fixes the following issues: CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service bsc1259553. incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes bsc1259630. Pat...
SUSE-SU-2026:1064-1 Security update for python-tornado6
This update for python-tornado6 fixes the following issues: - CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service bsc1259553. - incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes bsc1259630...
SUSE-SU-2026:20797-1 Security update for python-tornado6
This update for python-tornado6 fixes the following issues: - CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service bsc1259553. - incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes bsc1259630...
SUSE-SU-2026:20761-1 Security update for python-tornado6
This update for python-tornado6 fixes the following issues: - CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service bsc1259553. - incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes bsc1259630...
OPENSUSE-SU-2026:20406-1 Security update for python-tornado6
This update for python-tornado6 fixes the following issues: - CVE-2026-31958: parsing large multipart bodies with many parts can cause a denial of service bsc1259553. - incomplete validation of cookie attributes allows for injection of user-controlled values in other cookie attributes bsc1259630...
CVE-2026-32745
JetBrains Datalore is affected prior to version 2026.1. The vulnerability arises from missing the Secure attribute on cookie settings, enabling session hijacking. No exploit details are provided in the documents. Affected product: JetBrains Datalore; root cause: cookie security attribute misconfi...
CVE-2026-29086
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie...
CVE-2026-29086
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie...
CVE-2026-29086
In IBM advisories, CVE-2026-29086 affects the Hono web framework used by IBM App Connect Enterprise containers. Prior to 4.12.4, setCookie() did not validate semicolons, carriage returns, or newlines in domain and path when constructing Set-Cookie, enabling potential cookie-attribute injection. T...
CVE-2026-29086 Hono: Cookie Attribute Injection via Unsanitized domain and path in setCookie()
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie...
CVE-2026-29086 Hono: Cookie Attribute Injection via Unsanitized domain and path in setCookie()
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie...
EUVD-2026-9508
Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie...
GHSA-5PQ2-9X2X-5P6W Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()
Summary The setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if...
CVE-2025-36134
IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie...