216.73.217.50

CVE-2026-31958

· Published 11/03/2026 20:16 · Modified 12/03/2026 21:08

Labels: CVE-2026-31958 2026-03-11CVE-2026-31958CWE-400[email protected]

Essential information

Published
11/03/2026 20:16
Modified
12/03/2026 21:08
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
tornado / tornado cpe:2.3:a:tornado:tornado:<6.5.5:*:*:*:*:*:*:*
tornado / tornado cpe:2.3:a:tornado:tornado:6.5.5:*:*:*:*:*:*:*

References