VulnerableCode Package Details - pkg:deb/debian/python-tornado@6.5.5-2

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:deb/debian/python-tornado@6.5.5-2

Essentials
History (2)

purl	pkg:deb/debian/python-tornado@6.5.5-2

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (2)

Vulnerability	Summary	Aliases
VCID-96r3-89by-dyer	Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.	CVE-2026-31958 GHSA-qjxf-f2mg-c6mc PYSEC-2026-140
VCID-9vcz-3gme-b3bm	tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments	CVE-2026-35536 GHSA-fqwm-6jpj-5wxc

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T20:29:01.172356+00:00	Debian Importer	Fixing	VCID-9vcz-3gme-b3bm	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T19:25:04.268247+00:00	Debian Importer	Fixing	VCID-96r3-89by-dyer	https://security-tracker.debian.org/tracker/data/json	38.6.0