VDB
KO
MEDIUM 5.3

PYSEC-2026-2287

Details

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / tornado
Introduced in: 0 Fixed in: 6.5.5
Fix pip install --upgrade 'tornado>=6.5.5'

References