Tornado has cookie attribute injection via .RequestHandler.set_cookie

GHSA-fqwm-6jpj-5wxc · CVE-2026-35536

Published Apr 3, 2026 · Modified May 11, 2026

Description

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

References

WEB https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-35536
PACKAGE https://github.com/tornadoweb/tornado
WEB https://github.com/tornadoweb/tornado/releases/tag/v6.5.5

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes