Cookie Attribute Injection Vulnerability in Tornado Web Framework
CVE-2026-35536

7.2HIGH

Key Information:

Vendor

Tornadoweb

Status
Vendor
CVE Published:
3 April 2026

What is CVE-2026-35536?

The Tornado Web Framework, prior to version 6.5.5, is vulnerable to a cookie attribute injection issue. This arises from inadequate validation of the domain, path, and samesite parameters in the .RequestHandler.set_cookie method, allowing attackers to potentially inject malicious cookie attributes. Implementing the latest version is essential to mitigate this risk and enhance the overall security posture of applications using Tornado.

Affected Version(s)

Tornado 0 < 6.5.5

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.