CVE-2026-31958

ADVISORY - github

Summary

In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts.

Tornado 6.5.5 introduces new limits on the size and complexity of multipart bodies, including a default limit of 100 parts per request. These limits are configurable if needed; see tornado.httputil.ParseMultipartConfig. It is also now possible to disable multipart/form-data parsing entirely if it is not required for the application.

EPSS Score⁠: 0.00048 (0.148)

Common Weakness Enumeration (CWE)

ADVISORY - nist

NIST

CREATED

2 days ago

UPDATED

20 hours ago

ADVISORY IDCVE-2026-31958⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-400⁠

CVSS SCORE

8.7high

GitHub

CREATED

1 day ago

UPDATED

1 day ago

ADVISORY IDGHSA-qjxf-f2mg-c6mc⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-400⁠

CVSS SCORE

8.7high

Debian

CREATED

2 days ago

UPDATED

14 hours ago

ADVISORY IDCVE-2026-31958⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

1 day ago

UPDATED

1 day ago

ADVISORY IDCVE-2026-31958⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Red Hat

CREATED

2 days ago

UPDATED

16 hours ago

ADVISORY IDCVE-2026-31958⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-770⁠

CVSS SCORE

5.3medium

CVE-2026-31958

Summary

Common Weakness Enumeration (CWE)

CWE-400⁠

CWE-400⁠

CWE-770⁠

Advisories

NIST

CVSS SCORE

GitHub

CVSS SCORE

Debian

Ubuntu

CVSS SCORE

Red Hat

CVSS SCORE