5mghost-rover (>=0.0.1 <=0.0.3), a-mailx (=0.1.0) +1297 more potentially affected by CVE-2026-34516 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.0.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.6.0, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34516 Source advisory: SNYK:PYTHON-AIOHTTP-15873732...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the processing of multipart headers. An attacker can cause excessive memory consumption by sending a response with an unusually large number of multipart headers. Remediation Upgra...

AIOHTTP has a Multipart Header Size Bypass

Summary A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. Impact Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more...

GHSA-M5QP-6W8W-W647 AIOHTTP has a Multipart Header Size Bypass

Summary A response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. Impact Multipart headers were not subject to the same size restrictions in place for normal headers, potentially allowing substantially more...

GHSA-P998-JP59-783M AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows

Summary On Windows the static resource handler may expose information about a NTLMv2 remote path. Impact If an application is running on Windows, and using aiohttp's static resource handler not recommended in production, then it may be possible for an attacker to extract the hash from an NTLMv2...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the static resource handler on Windows. An attacker can extract NTLMv2 credential hashes by accessing specially crafted remote paths, potentially leading to credential theft. Remediation Upgrade aioht...

5mghost-rover (>=0.0.1 <=0.0.3), a-mailx (=0.1.0) +1297 more potentially affected by CVE-2026-34515 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.0.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.6.0, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34515 Source advisory: SNYK:PYTHON-AIOHTTP-15873738...

AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows

Summary On Windows the static resource handler may expose information about a NTLMv2 remote path. Impact If an application is running on Windows, and using aiohttp's static resource handler not recommended in production, then it may be possible for an attacker to extract the hash from an NTLMv2...

5mghost-rover (>=0.0.1 <=0.0.3), a-mailx (=0.1.0) +1297 more potentially affected by CVE-2026-34514 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.0.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.6.0, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34514 Source advisory: SNYK:PYTHON-AIOHTTP-15873736...

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting in the construction of multipart request headers when untrusted input is used for the contenttype parameter. An attacker can inject arbitrary headers or manipulate HTTP requests by supplying specially crafted...

GHSA-2VRM-GR82-F7M5 AIOHTTP has CRLF injection through multipart part content type header construction

Summary An attacker who controls the contenttype parameter in aiohttp could use this to inject extra headers or similar exploits. Impact If an application allows untrusted data to be used for the multipart contenttype parameter when constructing a request, an attacker may be able to manipulate th...

AIOHTTP has CRLF injection through multipart part content type header construction

Summary An attacker who controls the contenttype parameter in aiohttp could use this to inject extra headers or similar exploits. Impact If an application allows untrusted data to be used for the multipart contenttype parameter when constructing a request, an attacker may be able to manipulate th...

GHSA-HCC4-C3V8-RX92 AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector

Summary An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. Impact If an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory. ----- Patch:...

5mghost-rover (>=0.0.1 <=0.0.3), a-mailx (=0.1.0) +1297 more potentially affected by CVE-2026-34513 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.0.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.6.0, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34513 Source advisory: SNYK:PYTHON-AIOHTTP-15873737...

AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector

Summary An unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. Impact If an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory. ----- Patch:...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the TCPConnector function. An attacker can cause excessive memory consumption by making requests to a very large number of hosts, leading to resource exhaustion. Remediation Upgrad...

UBUNTU-CVE-2026-34519

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4...

CVE-2026-34525

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4...

CVE-2026-34518

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4...

UBUNTU-CVE-2026-34518

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4...