CVE-2026-35536 — Improper Handling of Invalid Use of Special Elements in Tornado

CWE-159 — Improper Handling of Invalid Use of Special Elements CWE-88 — Argument Injection17 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 84.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tornadoweb Tornado Debian Python-tornado

Timeline

PublishedApr 3

Latest updateApr 10

Description

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDtornadoweb/tornado< 6.5.5

▶PyPItornadoweb/tornado< 6.5.5

▶debiandebian/python-tornado< python-tornado 6.1.0-1+deb11u4 (bullseye)

🔴Vulnerability Details

OSV

Tornado has cookie attribute injection via .RequestHandler.set_cookie↗2026-04-03

▶

OSV

CVE-2026-35536: In Tornado before 6↗2026-04-03

▶

GHSA

Tornado has cookie attribute injection via .RequestHandler.set_cookie↗2026-04-03

▶

📋Vendor Advisories

Red Hat

tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments↗2026-04-03

▶

Debian

CVE-2026-35536: python-tornado - In Tornado before 6.5.5, cookie attribute injection could occur because the doma...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-28363 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-1519 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-3591 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-22822 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-34742 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-35536 python-tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments [fedora-all]↗2026-04-10

▶

Bugzilla

CVE-2026-35536 python-tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments [epel-all]↗2026-04-10

▶

Bugzilla

CVE-2026-35536 tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments↗2026-04-03

▶