102 matches found
tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments
A flaw was found in Tornado. A remote attacker could exploit this vulnerability by injecting specially crafted characters into the domain, path, and samesite arguments when setting cookies. This could lead to cookie attribute injection, potentially allowing for information disclosure or...
Astra Linux - уязвимость в python-tornado
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the provided “reason” phrase is used unescaped in HTTP headers where it could be used for header injection or in HTML on the default error page where it could be used for XSS attacks. This...
Astra Linux - уязвимость в python-tornado
In Tornado before version 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments of .RequestHandler.setcookie were not checked for crafted characters...
Astra Linux - уязвимость в python-tornado
Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and earlier use an inefficient algorithm when parsing parameters for HTTP header values, which may lead to Denial-of-Service attacks. The parseparam function in httputil.py is used to parse specific HTTP header...
tornado-python: Tornado: Denial of Service via large multipart bodies
A flaw was found in tornado-python. A remote attacker can exploit this vulnerability by sending a specially crafted, very large multipart body with numerous parts. Because the parsing of these large bodies occurs synchronously on the main thread, it can consume excessive resources, leading to a...
RLSA-2026:13641 Moderate: python-tornado security update
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...
Amazon Linux 2023 : python3.13-tornado (ALAS2023-2026-1588)
It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1588 advisory. In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters. CVE-2026-35536...
OESA-2026-1995 python-tornado security update
Tornado is an open source version of the scalable, non-blocking web server and tools. Security Fixes: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setti...
SUSE CVE-2026-35536
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters...
EUVD-2026-18574
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters...
CVE-2026-35536
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters...
UBUNTU-CVE-2026-35536
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters...
CVE-2026-35536
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters...
CVE-2026-35536
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters...
Tornado 安全漏洞
Tornado is a Python web framework and asynchronous networking library from Tornado China. This library can scale to thousands of open connections by using non-blocking network I/O, making it ideal for applications that require long-term polling, WebSocket, and other scenarios where long-term...
PT-2026-29974
Name of the Vulnerable Software and Affected Versions Tornado versions prior to 6.5.5 Description Prior to version 6.5.5, Tornado is susceptible to cookie attribute injection due to insufficient validation of the domain, path, and samesite arguments when setting cookies using .RequestHandler.set...
Important: python3.13-tornado
Issue Overview: Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers where it could be used for header injection or in HTML in the default error page where it could be used for XSS and can ...
Important: python-tornado
Issue Overview: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates...
OESA-2026-1677 python-tornado security update
Tornado is an open source version of the scalable, non-blocking web server and tools. Security Fixes: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setti...
OESA-2026-1676 python-tornado security update
Tornado is an open source version of the scalable, non-blocking web server and tools. Security Fixes: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setti...