top of page
perceptive_background_267k.jpg

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked …

Published:

2 april 2026 om 22:00:00

Alert date:

3 april 2026 om 17:05:03

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

A cookie attribute injection vulnerability was discovered in Tornado web framework versions before 6.5.5. The vulnerability occurs because the domain, path, and samesite arguments to the RequestHandler.set_cookie method were not properly validated for crafted characters. This allows attackers to inject malicious cookie attributes through these parameters. The vulnerability has been addressed in Tornado version 6.5.5. Organizations using affected versions should upgrade to the patched version immediately.

Technical details

Mitigation steps:

Affected products:

Tornado

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-35536
https://github.com/tornadoweb/tornado/releases/tag/v6.5.5
https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page