In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
CVSS
7.2
HIGH
Published
Apr 3, 2026
Loading
CWE hub
This hub groups CVEs that NVD maps to CWE-159, so you can review recent disclosures, common vendors, and related weakness patterns in one place.
Mapped CVEs
2
Records currently returned for this weakness id.
Top vendor
suitecrm
1 mapped CVEs in the aggregate scan.
Top product
suitecrm
1 mapped CVEs in the aggregate scan.
KEV on page
0
Visible rows already present in the CISA KEV catalog.
Top products
Related CWEs
Search results
Showing 1-2 of 2 vulnerabilities.
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
CVSS
7.2
HIGH
Published
Apr 3, 2026
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, the value of the return_id request parameter is copied into the value of an HTML tag attribute which is an event handler and is encapsulated in double quotation marks. Versions 7.15.1 and 8.9.3 patch the issue. Users should also use a Content Security Policy (CSP) header to completely mitigate XSS.
CVSS
5.9
MEDIUM
Published
Mar 19, 2026