VYPR
High severity7.5NVD Advisory· Published Mar 11, 2026· Updated Apr 1, 2026

CVE-2026-31958

CVE-2026-31958

Description

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
tornadoPyPI
< 6.5.56.5.5

Affected products

98

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.