CVE-2026-54280

CVE-2026-54280 affects AIOHTTP. Before 3.14.1, payload resources may not be closed if a client disconnects during a write, risking temporary resource starvation (e.g., open files) with no additional impact details provided. The issue is fixed in 3.14.1. The CVSS-based note in the initial data ind...

CVE-2026-54280

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause...

CVE-2026-54279

AIOHTTP (Python/asyncio) has a vulnerability where host-only cookies saved with CookieJar.save() and later loaded with CookieJar.load() can lose their host-only status. Affected versions prior to 3.14.1; fixed in 3.14.1. Implication: potential cookie scope changes after persistence. Mitigation: u...

Linux Distros Unpatched Vulnerability : CVE-2026-54276

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, DigestAuthMiddleware can send an authentication response after...

Linux Distros Unpatched Vulnerability : CVE-2026-54278

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to ...

Linux Distros Unpatched Vulnerability : CVE-2026-54273

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that...

Linux Distros Unpatched Vulnerability : CVE-2026-54274

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads,...

Improper Resource Shutdown or Release

Overview Affected versions of this package are vulnerable to Improper Resource Shutdown or Release in the payload response resources when a client disconnects during a write operation. An attacker can cause temporary resource exhaustion by repeatedly initiating connections and disconnecting...

Improper Handling of Highly Compressed Data (Data Amplification)

Overview Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification during cleanup. An attacker can exhaust system memory by sending a specially crafted compressed payload that is decompressed into memory in a single chunk. Remediation Upgra...

aiohttp: CRLF injection in multipart headers

Summary Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. Impact In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.appendheaders=... or Payload.headers, the...

GHSA-HG6J-4RV6-33PG AIOHTTP is vulnerable to cross-origin redirect with per-request cookies

Summary Cookies set with the cookies parameter on requests are sent after following a cross-origin redirect. Impact If a developer uses the cookies parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Workaround If unable to...

01os (>=0.0.1 <=0.0.14), 0b1-protocol (>=0.1.0 <=0.1.3) +41558 more potentially affected by CVE-2026-47265 via aiohttp (>=3.0.0b0 <=3.13.5)

aiohttp PYPI version =3.0.0b0, =0.0.1, =0.1.0, =0.1.0, =0.2.0, =0.1.0, =1.0.0, =0.1.0, =0.1.0, =1.0.0, =0.1.0, =0.1.1, =0.1.2, =0.1.3 - 1942pyc =7.0.1 - 1claw-crewai-tools =0.1.0 and more Source cves: CVE-2026-47265 Source advisory: SNYK:PYTHON-AIOHTTP-17146580...

01os (>=0.0.1 <=0.0.14), 0b1-protocol (>=0.1.0 <=0.1.3) +41628 more potentially affected by CVE-2026-47265 via aiohttp (>=0.13.1 <=3.13.5)

aiohttp PYPI version =0.13.1, =0.0.1, =0.1.0, =0.1.0, =0.2.0, =0.1.0, =1.0.0, =0.1.0, =0.1.0, =1.0.0, =0.1.0, =0.1.1, =0.1.2, =0.1.3 - 1942pyc =7.0.1 - 1claw-crewai-tools =0.1.0 and more Source cves: CVE-2026-47265 Source advisory: OSV:GHSA-HG6J-4RV6-33PG...

GHSA-JG22-MG44-37J8 AIOHTTP is Vulnerable to Deserialization of Untrusted Data

Summary Using CookieJar.load with untrusted input may allow arbitrary code execution. Impact Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Workaround If an application does allow attacker controlled files to be...

01os (>=0.0.1 <=0.0.14), 0b1-protocol (>=0.1.0 <=0.1.3) +41628 more potentially affected by CVE-2026-34993 via aiohttp (>=0.13.1 <=3.13.5)

aiohttp PYPI version =0.13.1, =0.0.1, =0.1.0, =0.1.0, =0.2.0, =0.1.0, =1.0.0, =0.1.0, =0.1.0, =1.0.0, =0.1.0, =0.1.1, =0.1.2, =0.1.3 - 1942pyc =7.0.1 - 1claw-crewai-tools =0.1.0 and more Source cves: CVE-2026-34993 Source advisory: OSV:GHSA-JG22-MG44-37J8...

01os (>=0.0.1 <=0.0.14), 0b1-protocol (>=0.1.0 <=0.1.3) +41558 more potentially affected by CVE-2026-34993 via aiohttp (>=3.0.0b0 <=3.13.5)

aiohttp PYPI version =3.0.0b0, =0.0.1, =0.1.0, =0.1.0, =0.2.0, =0.1.0, =1.0.0, =0.1.0, =0.1.0, =1.0.0, =0.1.0, =0.1.1, =0.1.2, =0.1.3 - 1942pyc =7.0.1 - 1claw-crewai-tools =0.1.0 and more Source cves: CVE-2026-34993 Source advisory: SNYK:PYTHON-AIOHTTP-17146576...

Linux Distros Unpatched Vulnerability : CVE-2026-34993

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using CookieJar.load with untrusted input may allow...

DEBIAN-CVE-2026-34993

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using CookieJar.load with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect man...

CVE-2026-34993 AIOHTTP Vulnerable to Deserialization of Untrusted Data

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using CookieJar.load with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect man...

Security Bulletin: Security vulnerability in Python affects IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak

Summary A security vulnerability in Python affects IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak. Python is used by IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak as part of its deployment. This bulletin identifies the fixes...