Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Unvalidated Input in Tornado Web Server Can Lead to Remote Code Execution
SUSE-SU-2026:0838-1
Summary
A security update for the Tornado web server is available to fix an issue where an attacker could inject malicious code. This could potentially allow an attacker to take control of the server. Update your Tornado installation to the latest version to protect against this risk.
What to do
- Update python-tornado to version 4.5.3-150000.3.16.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | python-tornado | <= 4.5.3-150000.3.16.1 | 4.5.3-150000.3.16.1 |
| – | python-tornado | <= 4.5.3-150000.3.16.1 | 4.5.3-150000.3.16.1 |
| – | python-tornado | <= 4.5.3-150000.3.16.1 | 4.5.3-150000.3.16.1 |
| – | python-tornado | <= 4.5.3-150000.3.16.1 | 4.5.3-150000.3.16.1 |
| – | python-tornado | <= 4.5.3-150000.3.16.1 | 4.5.3-150000.3.16.1 |
Original title
Security update for python-tornado
Original description
This update for python-tornado fixes the following issue:
- CVE-2025-67724: missing validation of the supplied reason phrase (bsc#1254903).
- CVE-2025-67724: missing validation of the supplied reason phrase (bsc#1254903).
- https://www.suse.com/support/update/announcement/2026/suse-su-20260838-1/ Vendor Advisory
- https://bugzilla.suse.com/1254903 Third Party Advisory
- https://www.suse.com/security/cve/CVE-2025-67724 URL
Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026