Tornado

This hub aggregates every CVE we track for Tornado, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Tornado.

• CVE-2026-35536In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.7.2Apr 3, 2026
• CVE-2026-31958Tornado has a DoS due to too many multipart parts7.5Mar 11, 2026
• CVE-2025-67726Tornado is Vulnerable to Quadratic DoS via Crafted Multipart Parameters7.5Dec 12, 2025
• CVE-2025-67725Tornado is Vulnerable to Quadratic DoS via Repeated Header Coalescing7.5Dec 12, 2025
• CVE-2025-67724Tornado vulnerable to Header Injection and XSS via reason argument5.4Dec 12, 2025
• CVE-2025-47287Tornado vulnerable to excessive logging caused by malformed multipart form data7.5May 15, 2025
• CVE-2024-42733An issue in Docmosis Tornado v.2.9.7 and before allows a remote attacker to execute arbitrary code via a crafted script to the UNC path input9.8Mar 7, 2025
• CVE-2024-52804Tornado has HTTP cookie parsing DoS vulnerability7.5Nov 22, 2024
• BDU:2024-09874Уязвимость компонента CurlAsyncHTTPClient асинхронной сетевой библиотеки Tornado, позволяющая нарушителю выполнить произвольный код6.5Nov 19, 2024
• CVE-2023-28370Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user a...6.1May 25, 2023
• CVE-2023-25264An issue was discovered in Docmosis Tornado prior to version 2.9.5. An unauthenticated attacker can bypass the authentication check filter completely by introducing a specially crafted request with...7.5Feb 28, 2023
• CVE-2023-25265Docmosis Tornado <= 2.9.4 is vulnerable to Directory Traversal leading to the disclosure of arbitrary content on the file system.7.5Feb 28, 2023
• CVE-2023-25266An issue was discovered in Docmosis Tornado prior to version 2.9.5. An authenticated attacker can change the Office directory setting pointing to an arbitrary remote network path. This triggers the...8.8Feb 28, 2023
• CVE-2014-9720Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and deter...6.5Jan 24, 2020
• CVE-2012-2374CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitti...5.0May 23, 2012