VYPR
Vendor

Tornadoweb

Products
1
CVEs
16
Across products
16
Status
Private

Products

1

Recent CVEs

16
  • CVE-2026-31958HigMar 11, 2026
    risk 0.42cvss 7.5epss 0.00

    Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this…

  • CVE-2026-35536HigApr 3, 2026
    risk 0.40cvss 7.2epss 0.00

    In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

  • CVE-2026-49853higJun 15, 2026
    risk 0.38cvss epss

    ## Summary When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements max_redirects, and removes only the Host header. It does not clear Authorization, auth_username, auth_password, or auth_mode when the redirect…

  • CVE-2026-49855higJun 15, 2026
    risk 0.38cvss epss

    Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate (There has always been a limit for the total *compressed* size). This allows a malicious server to consume effectively…

  • CVE-2026-49854lowJun 12, 2026
    risk 0.00cvss epss 0.00

    ### Summary Tornado's optional native extension `tornado.speedups` implements `websocket_mask` without validating that the `mask` argument is exactly four bytes long. The C function reads four bytes from `mask` unconditionally, even when Python passes a shorter byte string.…

  • CVE-2025-67726Dec 12, 2025
    risk 0.00cvss epss 0.00

    Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header…

  • CVE-2025-67725Dec 12, 2025
    risk 0.00cvss epss 0.00

    Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using…

  • CVE-2025-67724Dec 12, 2025
    risk 0.00cvss epss 0.00

    Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is used unescaped in HTTP headers (where it could be used for header injection) or in HTML in the default error page (where it could be used for XSS)…

  • CVE-2025-47287May 15, 2025
    risk 0.00cvss epss 0.01

    Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high…

  • CVE-2024-42733Mar 7, 2025
    risk 0.00cvss epss 0.01

    An issue in Docmosis Tornado v.2.9.7 and before allows a remote attacker to execute arbitrary code via a crafted script to the UNC path input

  • CVE-2024-52804Nov 22, 2024
    risk 0.00cvss epss 0.01

    Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This…

  • CVE-2023-28370May 25, 2023
    risk 0.00cvss epss 0.01

    Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

  • CVE-2023-25265Feb 28, 2023
    risk 0.00cvss epss 0.01

    Docmosis Tornado <= 2.9.4 is vulnerable to Directory Traversal leading to the disclosure of arbitrary content on the file system.

  • CVE-2023-25264Feb 28, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in Docmosis Tornado prior to version 2.9.5. An unauthenticated attacker can bypass the authentication check filter completely by introducing a specially crafted request with relative path segments.

  • CVE-2023-25266Feb 28, 2023
    risk 0.00cvss epss 0.02

    An issue was discovered in Docmosis Tornado prior to version 2.9.5. An authenticated attacker can change the Office directory setting pointing to an arbitrary remote network path. This triggers the execution of the soffice binary under the attackers control leading to arbitrary…

  • CVE-2012-2374May 23, 2012
    risk 0.00cvss epss 0.01

    CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input.