top of page
perceptive_background_267k.jpg

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked …

Published:

2 april 2026 om 22:00:00

Alert date:

3 april 2026 om 05:01:04

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

A vulnerability in Tornado web framework versions before 6.5.5 allows cookie attribute injection attacks. The issue occurs because the domain, path, and samesite arguments to the RequestHandler.set_cookie method were not properly validated for crafted characters. Attackers could potentially inject malicious cookie attributes by providing specially crafted input to these parameters. This could lead to various security issues including session manipulation or cookie-based attacks. The vulnerability has been fixed in version 6.5.5 of the Tornado framework.

Technical details

Mitigation steps:

Affected products:

Tornado

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-35536
https://github.com/tornadoweb/tornado/releases/tag/v6.5.5
https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page