CVE-2026-35536

Published: Apr 3, 2026Modified: Apr 10, 2026

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

Affected (1)

Products: Tornadoweb: Tornado

Tornadoweb

1 product

Tornado

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Tornadoweb Tornado	Before 6.5.5

Related CWEs

CWE-159

Improper Handling of Invalid Use of Special Elements

The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity.

References (2)

https://github.com/tornadoweb/tornado/releases/tag/v6.5.5

Source: cve@mitre.org

Product

https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7

Source: cve@mitre.org

Vendor Advisory

Timeline

No history available yet.