CVE-2026-35536

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.2 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N                                    

Vulnerability Description

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

Vulnerability Details

Published Date

April 03, 2026

Last Modified

April 10, 2026

CWE ID

CWE-159

Source

NVD

Vendor

tornadoweb

Product

Tornado

External References

https://github.com/tornadoweb/tornado/releases/tag/v6.5.5
https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7

CVE-2026-35536

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment