CVE-2026-35536

Summary

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

Affected Software

VendorProductVersion RangeStatus
tornadowebTornado0 < 6.5.5affected

Weaknesses

  • CWE-159: CWE-159 Improper Handling of Invalid Use of Special Elements

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References