VulnerableCode Package Details - pkg:deb/debian/python-tornado@6.4.2-3%2Bdeb13u2

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:deb/debian/python-tornado@6.4.2-3%2Bdeb13u2

purl	pkg:deb/debian/python-tornado@6.4.2-3%2Bdeb13u2

Next non-vulnerable version	6.5.5-2
Latest non-vulnerable version	6.5.5-2
Risk	4.0

Vulnerabilities affecting this package (2)

Vulnerability	Summary	Fixed by
VCID-96r3-89by-dyer Aliases: CVE-2026-31958 GHSA-qjxf-f2mg-c6mc PYSEC-2026-140	Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.	6.5.5-2 Affected by 0 other vulnerabilities.
VCID-9vcz-3gme-b3bm Aliases: CVE-2026-35536 GHSA-fqwm-6jpj-5wxc	tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments	6.5.5-2 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T20:29:01.168101+00:00	Debian Importer	Affected by	VCID-9vcz-3gme-b3bm	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T19:25:04.263241+00:00	Debian Importer	Affected by	VCID-96r3-89by-dyer	https://security-tracker.debian.org/tracker/data/json	38.6.0