CVE-2026-35536

medium

Red Hat

CVSS v3 Base Score

5.4

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS Score

0.0%

Exploitation probability in 30 days

Top 89% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Confidentiality

Low

Integrity

Low

Availability

None

Published: April 3, 2026 (41 days ago)

Last Modified: April 3, 2026

Vendor: Red Hat

Source: REDHAT

Description

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

CWE

CWE-88

Affected Products

External Secrets Operator for Red Hat OpenShiftLightspeed CoreMigration Toolkit for Applications 8OpenShift LightspeedRed Hat Enterprise Linux 8Red Hat Enterprise Linux 9Red Hat Enterprise Linux AI (RHEL AI) 3Red Hat Hardened Images 1Red Hat OpenShift AI (RHOAI)Red Hat OpenShift Container Platform 4

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 github.com

CVE-2026-35536

Vulnerability Report

Description

CWE

Affected Products

References