Skip to main content

Red Hat CVE-2026-35536

| EUVDEUVD-2026-18574 HIGH
Improper Handling of Invalid Use of Special Elements (CWE-159)
2026-04-03 mitre GHSA-fqwm-6jpj-5wxc
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
SUSE
HIGH
qualitative
Red Hat
5.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Apr 04, 2026 - 08:30 nvd
Patch available
EUVD ID Assigned
Apr 03, 2026 - 03:45 euvd
EUVD-2026-18574
Analysis Generated
Apr 03, 2026 - 03:45 vuln.today
CVE Published
Apr 03, 2026 - 02:25 nvd
HIGH 7.2

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 123 pypi packages depend on tornado (11 direct, 113 indirect)

Ecosystem-wide dependent count for version 6.5.5.

DescriptionCVE.org

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

AnalysisAI

Cookie attribute injection in Tornado web framework versions before 6.5.5 allows unauthenticated remote attackers to manipulate cookie security attributes through crafted characters in domain, path, and samesite parameters of RequestHandler.set_cookie. With CVSS 7.2 and EPSS data unavailable, this represents a moderate integrity and confidentiality risk for web applications using affected Tornado versions. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward for exploitation.

Technical ContextAI

Tornado is a Python web framework and asynchronous networking library. This vulnerability (CWE-159: Improper Handling of Invalid Use of Special Elements) stems from insufficient input validation in the cookie-setting mechanism. The RequestHandler.set_cookie method accepts domain, path, and samesite parameters but fails to sanitize special characters that have semantic meaning in HTTP Set-Cookie headers (such as semicolons, commas, or newlines). An attacker can inject these characters to manipulate cookie attributes beyond the intended scope, potentially overriding security directives like HttpOnly, Secure flags, or cookie boundaries. The affected component is cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*, specifically all versions prior to 6.5.5. This class of vulnerability exploits the trust boundary between application code and HTTP header serialization.

RemediationAI

Vendor-released patch: Tornado version 6.5.5. Organizations should upgrade to Tornado 6.5.5 or later immediately, available from https://github.com/tornadoweb/tornado/releases/tag/v6.5.5 and standard Python package repositories (pip install --upgrade tornado). For environments where immediate upgrade is not feasible, implement input validation on any user-controlled data passed to domain, path, or samesite parameters of set_cookie calls, specifically filtering or rejecting semicolons, newlines, carriage returns, and other HTTP header delimiter characters. Review application code to ensure cookie security attributes are statically defined rather than dynamically constructed from external input. Consult the GitHub security advisory at https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7 for additional context and migration guidance.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-35536 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy