{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35536", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-03T02:25:57.035Z", "datePublished": "2026-04-03T02:25:57.427Z", "dateUpdated": "2026-04-03T13:12:16.105Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Tornado", "vendor": "tornadoweb", "versions": [{"lessThan": "6.5.5", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-159", "description": "CWE-159 Improper Handling of Invalid Use of Special Elements", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T02:25:57.427Z"}, "references": [{"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7"}, {"url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T13:12:08.835726Z", "id": "CVE-2026-35536", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:12:16.105Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters."}], "id": "CVE-2026-35536", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-03T04:16:53.550", "references": [{"source": "cve@mitre.org", "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5"}, {"source": "cve@mitre.org", "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-159"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.5.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tornado", "source": "cna", "vendor": "tornadoweb"}, "product": "tornado", "vendor": "tornadoweb"}], "analysis": {"en": {"generated_at": "2026-04-03T06:20:56.271122+00:00", "value": {"mitigation_remediation": ["Upgrade Tornado to version 6.5.5 or later immediately"], "summary": {"action": "Patch immediately", "impact": "Cookie attribute injection that may allow an attacker to manipulate domain, path, or SameSite settings, potentially compromising session integrity"}, "threat_synthesis": {"affected_systems": "All versions of Tornado older than 6.5.5 are affected. The vulnerability exists in the Tornado web framework itself, where the set_cookie method does not sanitize input for cookie attributes. Users deploying Tornado 6.5.5 or newer are not vulnerable.", "description_and_impact": "The vulnerability allows an attacker to inject arbitrary cookie attributes when the set_cookie method of Tornado\u2019s RequestHandler receives unvalidated domain, path, or samesite values. This can enable manipulation of session cookies, facilitating session fixation, cookie hijacking, or cross\u2011site request forgery by setting attributes that change how browsers handle the cookie. The weakness corresponds to CWE\u2011159, which involves unexpected or unsafe handling of input data. The impact is limited to the integrity and confidentiality of user sessions, as the attacker can influence cookie behavior without executing arbitrary code.", "risk_and_exploitability": "With a CVSS score of 7.2, the issue is classified as high severity. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack path is inferred to be remote, via crafted HTTP requests that invoke the set_cookie method. Although there is no direct code execution, the ability to alter cookie characteristics poses a significant risk to session management and may be leveraged in broader attacks such as session fixation or CSRF. Institutions should treat this as a high\u2011priority security concern."}}}}, "created": "2026-04-03T07:31:11.732804+00:00", "title": "Cookie Attribute Injection in Tornado\u2019s set_cookie", "updated": "2026-04-03T09:15:59.334553+00:00", "vendors": ["tornadoweb", "tornadoweb$PRODUCT$tornado"]}