OPENSUSE-SU-2026:20015-1

Advisory lineage Upstream: 3 Downstream: 0

Upstream

CVE-2025-67724 CVE-2025-67725 CVE-2025-67726

Published: 12 Jan 2026, 10:29

Last modified:23 Mar 2026, 04:54

Vulnerability Summary

Overall Risk (default)

minimal

0/100

CVSS Score

No data

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

12 Jan 2026, 10:29

Published

Vulnerability first disclosed

23 Mar 2026, 04:54

Last Modified

Vulnerability information updated

Description

Security update for python-tornado6 This update for python-tornado6 fixes the following issues: - CVE-2025-67724: unescaped `reason` argument used in HTTP headers and in HTML default error pages can be used by attackers to launch header injection or XSS attacks (bsc#1254903). - CVE-2025-67725: quadratic complexity of string concatenation operations used by the `HTTPHeaders.add` method can lead o DoS when processing a maliciously crafted HTTP request (bsc#1254905). - CVE-2025-67726: quadratic complexity algorithm used in the `_parseparam` function of `httputil.py` can lead to DoS when processing maliciously crafted parameters in a `Content-Disposition` header (bsc#1254904).

Affected Systems

opensuse•python-tornado6&distro=openSUSE Leap 16.0
< 6.5-160000.3.1

OPENSUSE-SU-2026:20015-1

Vulnerability Summary

Timeline

Description

Affected Systems

References (6)