threat
engine
.sh
Back
·
··:··
Home
/
Product
/
tornadoweb tornado
Product
tornadoweb tornado
15 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-35536
< 6.5.5
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandle
7.2
HIGH
CVE-2026-31958
< 6.5.5
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on th
7.5
HIGH
CVE-2025-67726
< 6.5.3
Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when
7.5
HIGH
CVE-2025-67725
< 6.5.3
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted H
7.5
HIGH
CVE-2025-67724
< 6.5.3
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, the supplied reason phrase is
5.4
MEDIUM
CVE-2025-47287
< 6.5.0
Tornado is a Python web framework and asynchronous networking library. When Tornado's `
multipart/form-data
` parser encounters ce
7.5
HIGH
CVE-2024-42733
<= 2.9.7
An issue in Docmosis Tornado v.2.9.7 and before allows a remote attacker to execute arbitrary code via a crafted script to the UNC
9.8
CRITICAL
CVE-2024-52804
< 6.4.2
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado vers
7.5
HIGH
CVE-2023-28370
< 6.3.2
Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to a
6.1
MEDIUM
CVE-2023-25266
< 2.9.5
An issue was discovered in Docmosis Tornado prior to version 2.9.5. An authenticated attacker can change the Office directory sett
8.8
HIGH
CVE-2023-25265
< 2.9.5
Docmosis Tornado <= 2.9.4 is vulnerable to Directory Traversal leading to the disclosure of arbitrary content on the file system.
7.5
HIGH
CVE-2023-25264
< 2.9.5
An issue was discovered in Docmosis Tornado prior to version 2.9.5. An unauthenticated attacker can bypass the authentication chec
7.5
HIGH
CVE-2014-9720
< 3.2.2
Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes
6.5
MEDIUM
CVE-2012-2374
<= 2.2
CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers
CVE-2008-5264
<= 4.2
Cross-site scripting (XSS) vulnerability in searcher.exe in Tornado Knowledge Retrieval System 4.2 and earlier allows remote attac
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin