Cookie Attribute Injection Vulnerability in Tornado Web Framework
CVE-2026-35536
7.2HIGH
What is CVE-2026-35536?
The Tornado Web Framework, prior to version 6.5.5, is vulnerable to a cookie attribute injection issue. This arises from inadequate validation of the domain, path, and samesite parameters in the .RequestHandler.set_cookie method, allowing attackers to potentially inject malicious cookie attributes. Implementing the latest version is essential to mitigate this risk and enhance the overall security posture of applications using Tornado.
Affected Version(s)
Tornado 0 < 6.5.5
