Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/tornado@3.0.1

Type pypi

Namespace

Name tornado

Version 3.0.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 6.5.5

Latest_non_vulnerable_version 6.5.5

Affected_by_vulnerabilities

url VCID-96r3-89by-dyer

vulnerability_id VCID-96r3-89by-dyer

summary Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31958.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31958.json

reference_url

https://github.com/tornadoweb/tornado

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado

reference_url

https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/commit/119a195e290c43ad2d63a2cf012c29d43d6ed839

reference_url

https://github.com/tornadoweb/tornado/releases/tag/v6.5.5

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/releases/tag/v6.5.5

reference_url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc

reference_url

https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-31958

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-31958

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130507
reference_id	1130507
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130507

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2446765
reference_id	2446765
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2446765

reference_url	https://access.redhat.com/errata/RHSA-2026:10184
reference_id	RHSA-2026:10184
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10184

reference_url	https://access.redhat.com/errata/RHSA-2026:11454
reference_id	RHSA-2026:11454
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11454

reference_url	https://access.redhat.com/errata/RHSA-2026:11493
reference_id	RHSA-2026:11493
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11493

reference_url	https://access.redhat.com/errata/RHSA-2026:11494
reference_id	RHSA-2026:11494
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11494

reference_url	https://access.redhat.com/errata/RHSA-2026:11495
reference_id	RHSA-2026:11495
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11495

reference_url	https://access.redhat.com/errata/RHSA-2026:13641
reference_id	RHSA-2026:13641
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13641

reference_url	https://access.redhat.com/errata/RHSA-2026:13670
reference_id	RHSA-2026:13670
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13670

reference_url	https://access.redhat.com/errata/RHSA-2026:19034
reference_id	RHSA-2026:19034
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19034

reference_url	https://access.redhat.com/errata/RHSA-2026:19189
reference_id	RHSA-2026:19189
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19189

reference_url	https://access.redhat.com/errata/RHSA-2026:20572
reference_id	RHSA-2026:20572
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20572

reference_url	https://access.redhat.com/errata/RHSA-2026:20573
reference_id	RHSA-2026:20573
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20573

reference_url	https://access.redhat.com/errata/RHSA-2026:20577
reference_id	RHSA-2026:20577
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20577

reference_url	https://access.redhat.com/errata/RHSA-2026:20810
reference_id	RHSA-2026:20810
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20810

reference_url	https://access.redhat.com/errata/RHSA-2026:8093
reference_id	RHSA-2026:8093
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8093

fixed_packages

url	pkg:pypi/tornado@6.5.5
purl	pkg:pypi/tornado@6.5.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.5.5

aliases CVE-2026-31958, GHSA-qjxf-f2mg-c6mc, PYSEC-2026-140

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-96r3-89by-dyer

url VCID-a4ry-gnvn-e3a1

vulnerability_id VCID-a4ry-gnvn-e3a1

summary Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28370.json

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28370.json

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2023-75.yaml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2023-75.yaml

reference_url

https://github.com/tornadoweb/tornado

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado

reference_url

https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f

reference_url

https://github.com/tornadoweb/tornado/releases/tag/v6.3.2

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/releases/tag/v6.3.2

reference_url

https://jvn.jp/en/jp/JVN45127776

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://jvn.jp/en/jp/JVN45127776

reference_url	https://jvn.jp/en/jp/JVN45127776/
reference_id
reference_type
scores
url	https://jvn.jp/en/jp/JVN45127776/

reference_url

https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/01/msg00000.html

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036875
reference_id	1036875
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036875

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2210199
reference_id	2210199
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2210199

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-28370

reference_id

CVE-2023-28370

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-28370

reference_url	https://github.com/advisories/GHSA-hj3f-6gcp-jg8j
reference_id	GHSA-hj3f-6gcp-jg8j
reference_type
scores
url	https://github.com/advisories/GHSA-hj3f-6gcp-jg8j

reference_url	https://access.redhat.com/errata/RHSA-2023:6523
reference_id	RHSA-2023:6523
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6523

fixed_packages

url pkg:pypi/tornado@6.3.2

purl pkg:pypi/tornado@6.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-96r3-89by-dyer

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.3.2

aliases CVE-2023-28370, GHSA-hj3f-6gcp-jg8j, PYSEC-2023-75

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a4ry-gnvn-e3a1

url VCID-gbeg-1cjj-fufw

vulnerability_id VCID-gbeg-1cjj-fufw

summary Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.

references

reference_url

http://openwall.com/lists/oss-security/2015/05/19/4

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://openwall.com/lists/oss-security/2015/05/19/4

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-9720.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-9720.json

reference_url

https://bugzilla.novell.com/show_bug.cgi?id=930362

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.novell.com/show_bug.cgi?id=930362

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=1222816

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=1222816

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2020-213.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/tornado/PYSEC-2020-213.yaml

reference_url

https://github.com/tornadoweb/tornado

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado

reference_url

https://github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/tornadoweb/tornado/commit/1c36307463b1e8affae100bf9386948e6c1b2308

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2014-9720

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2014-9720

reference_url

http://www.tornadoweb.org/en/stable/releases/v3.2.2.html

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	7.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.tornadoweb.org/en/stable/releases/v3.2.2.html

fixed_packages

url pkg:pypi/tornado@3.2.2

purl pkg:pypi/tornado@3.2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-96r3-89by-dyer

vulnerability	VCID-a4ry-gnvn-e3a1

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@3.2.2

aliases CVE-2014-9720, GHSA-8vpw-mgpf-mpvv, PYSEC-2020-213

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gbeg-1cjj-fufw

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@3.0.1

Package Instance