EUVD-2026-18574
GHSA-fqwm-6jpj-5wxc
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 102 pypi packages depend on tornado (10 direct, 93 indirect)
Ecosystem-wide dependent count for version 6.5.5.
DescriptionNVD
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
AnalysisAI
Cookie attribute injection in Tornado web framework versions before 6.5.5 allows unauthenticated remote attackers to manipulate cookie security attributes through crafted characters in domain, path, and samesite parameters of RequestHandler.set_cookie. With CVSS 7.2 and EPSS data unavailable, this represents a moderate integrity and confidentiality risk for web applications using affected Tornado versions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all applications using Tornado versions before 6.5.5 via dependency scanning and create an inventory of affected systems. Within 7 days: Implement input validation and sanitization on all cookie parameters (domain, path, samesite) to reject crafted characters; document compensating controls deployed. …
Sign in for detailed remediation steps.
More from same product – last 7 days
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today