๐Ÿ” CVE Alert

CVE-2026-49854

MEDIUM 5.3

Tornado: Out-of-bounds memory access in C extension

CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th

Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, the optional native extension tornado.speedups implemented websocket_mask without validating that the mask argument is exactly four bytes, allowing the C function to read up to three bytes beyond the provided buffer when reached through Tornado XSRF token decoding with the native extension active. This issue is fixed in version 6.5.6.

CWE CWE-126
Vendor tornadoweb
Product tornado
Published Jul 14, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for tornadoweb tornado

Be the first to know when new medium vulnerabilities affecting tornadoweb tornado are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Affected Versions

tornadoweb / tornado
< 6.5.6

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/tornadoweb/tornado/security/advisories/GHSA-cx3h-4qpv-8hc9 github.com: https://github.com/tornadoweb/tornado/pull/3626 github.com: https://github.com/tornadoweb/tornado/commit/96dc88c2a05705287856b2cd6b4b4034f9a6aaac github.com: https://github.com/tornadoweb/tornado/releases/tag/v6.5.6