CVE-2026-35536
EUVD-2026-1857403.04.2026, 04:16
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| tornadoweb | tornado | 𝑥 < 6.5.5 |
𝑥
= Vulnerable software versions
Debian Releases
Amazon Linux Releases
Amazon Package | |||||
|---|---|---|---|---|---|
| python-tornado |
| ||||
| python-tornado-debuginfo |
| ||||
| python-tornado-debugsource |
| ||||
| python-tornado-doc |
| ||||
| python3-tornado |
| ||||
| python3-tornado-debuginfo |
| ||||
| python3-tornado-doc |
| ||||
| python3.13-tornado |
| ||||
| python3.13-tornado-debuginfo |
| ||||
| python3.13-tornado-debugsource |
| ||||
| python3.13-tornado-doc |
|