GHSA-HG6J-4RV6-33PG AIOHTTP is vulnerable to cross-origin redirect with per-request cookies

Summary Cookies set with the cookies parameter on requests are sent after following a cross-origin redirect. Impact If a developer uses the cookies parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Workaround If unable to...

GHSA-JG22-MG44-37J8 AIOHTTP is Vulnerable to Deserialization of Untrusted Data

Summary Using CookieJar.load with untrusted input may allow arbitrary code execution. Impact Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Workaround If an application does allow attacker controlled files to be...

Linux Distros Unpatched Vulnerability : CVE-2026-34993

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using CookieJar.load with untrusted input may allow...

DEBIAN-CVE-2026-34993

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using CookieJar.load with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect man...

CVE-2026-34993 AIOHTTP Vulnerable to Deserialization of Untrusted Data

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using CookieJar.load with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect man...

Security Bulletin: Security vulnerability in Python affects IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak

Summary A security vulnerability in Python affects IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak. Python is used by IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak as part of its deployment. This bulletin identifies the fixes...

ROS-20260420-73-0025

Vulnerability in python-aiohttp related to lack of service data protection. Exploitation of the vulnerability may allow a remote attacker to gain unauthorized access to protected information...

Linux Distros Unpatched Vulnerability : CVE-2026-34520

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted nul...

Linux Distros Unpatched Vulnerability : CVE-2026-34516

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart header...

Linux Distros Unpatched Vulnerability : CVE-2026-34514

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the contenttype parameter in...

SUSE CVE-2026-34514

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the contenttype parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4...

CVE-2026-34525

A flaw was found in aiohttp, an asynchronous HTTP client/server framework for Python. This vulnerability allows a remote attacker to send multiple Host headers in a single request. This can lead to unexpected behavior, potentially bypassing security controls or causing cache poisoning, which may...

CVE-2026-34516

A flaw was found in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. A remote attacker could exploit this vulnerability by sending a response with an excessive number of multipart headers. This could cause the system to consume more memory than intended, leading to a...

5mghost-rover (>=0.0.1 <=0.0.3), a-mailx (=0.1.0) +1297 more potentially affected by CVE-2026-34525 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.0.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.6.0, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34525 Source advisory: SNYK:PYTHON-AIOHTTP-15873733...

5mghost-rover (>=0.0.1 <=0.0.3), a-mailx (=0.1.0) +1297 more potentially affected by CVE-2026-34520 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.0.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.6.0, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34520 Source advisory: SNYK:PYTHON-AIOHTTP-15873704...

5mghost-rover (>=0.0.1 <=0.0.3), a-mailx (=0.1.0) +1297 more potentially affected by CVE-2026-34519 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.0.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.6.0, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34519 Source advisory: SNYK:PYTHON-AIOHTTP-15873731...

GHSA-966J-VMVW-G2G9 AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect

Summary When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. Impact The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following...

5mghost-rover (>=0.0.1 <=0.0.3), a-mailx (=0.1.0) +1297 more potentially affected by CVE-2026-34518 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.0.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.6.0, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34518 Source advisory: SNYK:PYTHON-AIOHTTP-15873735...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Request.post function. An attacker can cause excessive memory allocation by sending a specially crafted multipart request containing large non-file fields. Remediation Upgrade...

5mghost-rover (>=0.0.1 <=0.0.3), a-mailx (=0.1.0) +1297 more potentially affected by CVE-2026-34516 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.0.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.6.0, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34516 Source advisory: SNYK:PYTHON-AIOHTTP-15873732...