It was discovered that Tornado incorrectly handled parsing of large multipart request bodies. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-31958)
It was discovered that Tornado did not properly validate characters in cookie values. An attacker could possibly use this issue to inject arbitrary cookie attributes. (CVE-2026-35536)
6.4.0-1ubuntu0.56.4.2-3ubuntu0.34.2.1-1ubuntu3.1+esm34.5.3-1ubuntu0.2+esm36.0.3+really5.1.1-3ubuntu0.1~esm56.1.0-3ubuntu0.1~esm5