Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/tornado@6.5.3
Typepypi
Namespace
Nametornado
Version6.5.3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.5.5
Latest_non_vulnerable_version6.5.5
Affected_by_vulnerabilities
0
url VCID-96r3-89by-dyer
vulnerability_id VCID-96r3-89by-dyer
summary Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
references
0
reference_url https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc
1
reference_url https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html
fixed_packages
0
url pkg:pypi/tornado@6.5.5
purl pkg:pypi/tornado@6.5.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.5.5
aliases CVE-2026-31958, GHSA-qjxf-f2mg-c6mc, PYSEC-2026-140
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-96r3-89by-dyer
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/tornado@6.5.3