VYPR

rpm package

almalinux/python3-tornado

pkg:rpm/almalinux/python3-tornado

Vulnerabilities (5)

  • CVE-2026-35536HigApr 3, 2026
    affected < 6.5.5-1.el10_1.1fixed 6.5.5-1.el10_1.1

    In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

  • CVE-2026-31958HigMar 11, 2026
    affected < 6.5.5-1.el10_1.1fixed 6.5.5-1.el10_1.1

    Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this cre

  • CVE-2025-47287May 15, 2025
    affected < 6.4.2-1.el10_0.1fixed 6.4.2-1.el10_0.1

    Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high vo

  • CVE-2024-52804Nov 22, 2024
    affected < 6.4.2-1.el9_5fixed 6.4.2-1.el9_5

    Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This par

  • CVE-2023-28370May 25, 2023
    affected < 6.1.0-9.el9fixed 6.1.0-9.el9

    Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.