Lucene search
K

4 matches found

OSV
OSV
added 2026/06/17 6:43 a.m.7 views

MGASA-2026-0216 Updated python-tornado packages fix security vulnerabilities

Tornado has a DoS due to too many multipart parts. CVE-2026-31958 In Tornado, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters. CVE-2026-35536...

8.7CVSS5.3AI score0.00375EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/28 3:28 p.m.34 views

CVE-2026-47675 Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax ;, \r, \n, but does not apply the same validation to sameSite an...

4.3CVSS0.00216EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 3:28 p.m.63 views

CVE-2026-47675

Summary: Hono prior to 4.12.21 has a vulnerability in the serialize() function of hono/cookie where domain and path options are validated to prevent Set-Cookie header corruption, but sameSite and priority are not validated. This can allow user-controlled input to inject attacker-chosen attributes...

5.3CVSS5.8AI score0.00216EPSS
Exploits0References1Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/11 10:17 p.m.10 views

Tornado has incomplete validation of cookie attributes

Values passed to the domain, path, and samesite arguments of RequestHandler.setcookie were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes...

5.8AI score
Exploits0References4Affected Software1
Rows per page
Query Builder