Tornado — CVE history (PyPI)
Tornado
9 CVEs affect the Tornado PyPI package (highest CVSS 7.5). Latest disclosed: 2026-04-03. Full CVE history sourced from NVD.
Summary
- Package
Tornado(PyPI)- Total CVEs
9- Actively exploited (CISA KEV)
- 0
- Highest CVSS
7.5- Latest disclosed
- 2026-04-03
Recent CVEs (top 9)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-35536 | High | 7.2 | — | 2026-04-03 | In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters. |
CVE-2026-31958 | — | — | — | 2026-03-11 | Tornado is a Python web framework and asynchronous networking library. |
CVE-2025-67726 | High | 7.5 | — | 2025-12-12 | Tornado is a Python web framework and asynchronous networking library. |
CVE-2025-67725 | High | 7.5 | — | 2025-12-12 | Tornado is a Python web framework and asynchronous networking library. |
CVE-2025-67724 | Medium | 5.4 | — | 2025-12-12 | Tornado is a Python web framework and asynchronous networking library. |
CVE-2025-47287 | High | 7.5 | — | 2025-05-15 | Tornado is a Python web framework and asynchronous networking library. |
CVE-2024-52804 | High | 7.5 | — | 2024-11-22 | Tornado is a Python web framework and asynchronous networking library. |
CVE-2023-28370 | — | — | — | 2023-05-25 | Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL. |
CVE-2012-2374 | — | — | — | 2012-05-23 | CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input. |
All-time worst (top 6 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-67726 | High | 7.5 | — | 2025-12-12 | Tornado is a Python web framework and asynchronous networking library. |
CVE-2025-67725 | High | 7.5 | — | 2025-12-12 | Tornado is a Python web framework and asynchronous networking library. |
CVE-2025-47287 | High | 7.5 | — | 2025-05-15 | Tornado is a Python web framework and asynchronous networking library. |
CVE-2024-52804 | High | 7.5 | — | 2024-11-22 | Tornado is a Python web framework and asynchronous networking library. |
CVE-2026-35536 | High | 7.2 | — | 2026-04-03 | In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters. |
CVE-2025-67724 | Medium | 5.4 | — | 2025-12-12 | Tornado is a Python web framework and asynchronous networking library. |