AIOHTTP accepts duplicate Host headers

Summary Multiple Host headers were allowed in aiohttp. Impact Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly...

5mghost-rover (>=0.0.1 <=0.0.3), a-mailx (=0.1.0) +1297 more potentially affected by CVE-2026-34520 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.0.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.6.0, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34520 Source advisory: SNYK:PYTHON-AIOHTTP-15873704...

EUVD-2026-18046

AIOHTTP's C parser llhttp accepts null bytes and control characters in response header values - header injection/security bypass...

GHSA-63HF-3VF5-4WQF AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass

Summary The C parser the default for most installs accepted null bytes and control characters is response headers. Impact An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, request.url.origin may return a...

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting in the llhttp component. An attacker can manipulate HTTP response headers by injecting null bytes or control characters, causing headers to be interpreted differently by various components, which may lead to...

5mghost-rover (>=0.0.1 <=0.0.3), a-mailx (=0.1.0) +1297 more potentially affected by CVE-2026-34519 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.0.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.6.0, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34519 Source advisory: SNYK:PYTHON-AIOHTTP-15873731...

GHSA-MWH4-6H8G-PG8W AIOHTTP has HTTP response splitting via \r in reason phrase

Summary An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. Impact In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the...

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the reason parameter in the HTTP response creation process. An attacker can inject unauthorized headers or manipulate the HTTP response by supplying specially crafted input containing carriage return...

EUVD-2026-18044

AIOHTTP has HTTP response splitting via \r in reason phrase...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure in the handling of cross-origin redirects, where Cookie and Proxy-Authorization headers are not properly removed. An attacker can obtain sensitive information by causing a user to follow a redirect to a malicious...

GHSA-966J-VMVW-G2G9 AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect

Summary When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. Impact The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following...

EUVD-2026-18042

AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect...

5mghost-rover (>=0.0.1 <=0.0.3), a-mailx (=0.1.0) +1297 more potentially affected by CVE-2026-34518 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.0.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.6.0, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34518 Source advisory: SNYK:PYTHON-AIOHTTP-15873735...

AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect

Summary When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. Impact The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following...

GHSA-3WQ7-RQQ7-WX6J AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS

Summary For some multipart form fields, aiohttp read the entire field into memory before checking clientmaxsize. Impact If an application uses Request.post an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimate...

5mghost-rover (>=0.0.1 <=0.0.3), a-mailx (=0.1.0) +1297 more potentially affected by CVE-2026-34517 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.0.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.6.0, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34517 Source advisory: SNYK:PYTHON-AIOHTTP-15873734...

EUVD-2026-18041

AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Request.post function. An attacker can cause excessive memory allocation by sending a specially crafted multipart request containing large non-file fields. Remediation Upgrade...

AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS

Summary For some multipart form fields, aiohttp read the entire field into memory before checking clientmaxsize. Impact If an application uses Request.post an attacker can send a specially crafted multipart request to force significant temporary memory allocation even when the request is ultimate...

EUVD-2026-18040

AIOHTTP has a Multipart Header Size Bypass...