CVE-2026-35536
Published
CVSS v3
7.2
HIGH
CVSS v2
N/A
Affected
1
PROJECT
Description
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
GitHub