CVE-2026-35536 | tornadoweb Tornado up to 6.5.4 Attributes RequestHandler.set_cookie samesite invalid special elements (GHSA-78cv-mqj4-43f7)

Inserito da Angelo Barbosa | Apr 3, 2026 | CVE

A vulnerability marked as critical has been reported in tornadoweb Tornado up to 6.5.4. The impacted element is the function RequestHandler.set_cookie of the component Attributes Handler. Performing a manipulation of the argument samesite results in improper handling of invalid use of special elements.

This vulnerability is known as CVE-2026-35536. Remote exploitation of the attack is possible. No exploit is available.

It is suggested to upgrade the affected component.

CVE-2026-35536 | tornadoweb Tornado up to 6.5.4 Attributes RequestHandler.set_cookie samesite invalid special elements (GHSA-78cv-mqj4-43f7)

Post correlati

CVE-2025-22218 | VMware Aria Operations for Logs up to 8.18.2 information disclosure

CVE-2024-45478 | Apache Ranger 2.4.x Edit Service Page cross site scripting

CVE-2025-13298 | itsourcecode Web-Based Internet Laboratory Management System 1.0 controller.php sql injection

CVE-2024-56998 | PHPGurukul Hospital Management System 4.0 /edit-profile.php address cross site scripting