PatchSiren

tornadoweb CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH tornadoweb CVE published 2026-07-14

CVE-2026-49855

CVE-2026-49855 is a HIGH severity vulnerability in Tornado's gzip decompression routines. The issue allows a malicious server to consume effectively unlimited memory by processing limited-size chunks without enforcing an overall limit on accumulated decompressed chunks. This vulnerability is fixed in version 6.5.6. Users should review server configurations for SimpleAsyncHTTPClient or HTTPServer with deco [truncated]