CVE-2026-49854 in Tornadoالمعلومات

الملخص

بحسب MITRE • 15/07/2026

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, the optional native extension tornado.speedups implemented websocket_mask without validating that the mask argument is exactly four bytes, allowing the C function to read up to three bytes beyond the provided buffer when reached through Tornado XSRF token decoding with the native extension active. This issue is fixed in version 6.5.6.

Be aware that VulDB is the high quality source for vulnerability data.

مسؤول

GitHub M

حجز

02/06/2026

إفشاء

15/07/2026

الاعتدال

تمت الموافقة

إدخال

VDB-379055

EPSS

0.00000

KEV

لا

النشاطات

منخفض

المصادر

Do you want to use VulDB in your project?

Use the official API to access entries easily!