Live data from GitHub and PyPI, updated daily.
Data last fetched: 2026-05-15
10 active CVEs reported via OSV.dev
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado
Tornado has incomplete validation of cookie attributes
Tornado vulnerable to excessive logging caused by malformed multipart form data
Tornado XSRF cookie allows side-channel attack against TLS (BREACH attack)
Tornado has an HTTP cookie parsing DoS vulnerability
Tornado CRLF injection vulnerability
Tornado has cookie attribute injection via .RequestHandler.set_cookie
Open redirect in Tornado
Tornado is vulnerable to DoS due to too many multipart parts
Tornado vulnerable to HTTP request smuggling via improper parsing of `Content-Length` fields and chunk lengths
Other Web Framework projects in the Python ecosystem worth evaluating.
Get SLA-backed support, security patches, and direct access to senior engineers for Tornado — without relying on volunteer maintainers.
Talk to an Expert →