CVE-2026-49854
MEDIUM
NVD
CVSS Score
5.3
Severity
MEDIUM
Published
Jul 14, 2026
Vendor
unknown
Description
Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, the optional native extension tornado.speedups implemented websocket_mask without validating that the mask argument is exactly four bytes, allowing the C function to read up to three bytes beyond the provided buffer when reached through Tornado XSRF token decoding with the native extension active. This issue is fixed in version 6.5.6.