CVE-2026-35536

HIGH NVD

CVSS Score 7.2

Severity HIGH

Published Apr 03, 2026

Vendor unknown

Description

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

References

https://github.com/tornadoweb/tornado/releases/tag/v6.5.5
https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7