Tornado Web Server Cookie Attribute Data Injection

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.2

Tornado Web Server Cookie Attribute Data Injection

CVE-2026-35536

Summary

A security weakness in Tornado's cookie handling could allow an attacker to manipulate cookie settings. This could lead to unauthorized access to sensitive information. Update to Tornado 6.5.5 or later to fix this issue.

Original title

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

Original description

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

nvd CVSS3.1 7.2

Vulnerability type

CWE-159

https://github.com/tornadoweb/tornado/releases/tag/v6.5.5
https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026