CVE-2026-31958

UNKNOWN 0.0

Tornado has a DoS due to too many multipart parts

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.

CWE	CWE-400
Vendor	tornadoweb
Product	tornado
Published	Mar 11, 2026
Last Updated	Apr 1, 2026

Stay Ahead of the Next One

Get instant alerts for tornadoweb tornado

Be the first to know when new unknown vulnerabilities affecting tornadoweb tornado are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

tornadoweb / tornado

< 6.5.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/tornadoweb/tornado/security/advisories/GHSA-qjxf-f2mg-c6mc lists.debian.org: https://lists.debian.org/debian-lts-announce/2026/04/msg00000.html