HIGH
tornadoweb
CVE published 2026-07-14
CVE-2026-49855
CVE-2026-49855 is a HIGH severity vulnerability in Tornado's gzip decompression routines. The issue allows a malicious server to consume effectively unlimited memory by processing limited-size chunks without enforcing an overall limit on accumulated decompressed chunks. This vulnerability is fixed in version 6.5.6. Users should review server configurations for SimpleAsyncHTTPClient or HTTPServer with deco [truncated]