Tornadoweb Tornado
9 CVEs affecting Tornadoweb Tornado. Latest disclosed: 2026-04-03. Critical: 0, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-67726 | High | 7.5 | 2025-12-12 | Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP h… |
CVE-2025-67725 | High | 7.5 | 2025-12-12 | Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the ser… |
CVE-2025-47287 | High | 7.5 | 2025-05-15 | Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warni… |
CVE-2024-52804 | High | 7.5 | 2024-11-22 | Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes… |
CVE-2026-35536 | High | 7.2 | 2026-04-03 | In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked… |
CVE-2025-67724 | Medium | 5.4 | 2025-12-12 | Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP header… |
CVE-2026-31958 | | 2026-03-11 | Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipar… | |
CVE-2023-28370 | | 2023-05-25 | Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and cond… | |
CVE-2012-2374 | | 2012-05-23 | CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP hea… |