tornadoweb

Top products

The 10 most recently published vulnerabilities affecting tornadoweb.

• CVE-2026-35536In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.7.2Apr 3, 2026
• CVE-2026-31958Tornado has a DoS due to too many multipart parts7.5Mar 11, 2026
• CVE-2025-67726Tornado is Vulnerable to Quadratic DoS via Crafted Multipart Parameters7.5Dec 12, 2025
• CVE-2025-67725Tornado is Vulnerable to Quadratic DoS via Repeated Header Coalescing7.5Dec 12, 2025
• CVE-2025-67724Tornado vulnerable to Header Injection and XSS via reason argument5.4Dec 12, 2025
• CVE-2025-47287Tornado vulnerable to excessive logging caused by malformed multipart form data7.5May 15, 2025
• CVE-2024-52804Tornado has HTTP cookie parsing DoS vulnerability7.5Nov 22, 2024
• CVE-2023-28370Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user a...6.1May 25, 2023
• CVE-2014-9720Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and deter...6.5Jan 24, 2020
• CVE-2012-2374CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitti...5.0May 23, 2012