CVE-2026-34525

A flaw was found in aiohttp, an asynchronous HTTP client/server framework for Python. This vulnerability allows a remote attacker to send multiple Host headers in a single request. This can lead to unexpected behavior, potentially bypassing security controls or causing cache poisoning, which may...

CVE-2026-34519

A flaw was found in aiohttp, an asynchronous HTTP client/server framework for Python. A remote attacker could exploit this vulnerability by controlling the 'reason' parameter during the creation of an HTTP response. This could allow the attacker to inject additional HTTP headers, potentially...

CVE-2026-34514

A flaw was found in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. A remote attacker, by manipulating the contenttype parameter, could inject additional HTTP headers. This could lead to unexpected behavior or bypass certain security measures within applications...

CVE-2026-34513

A flaw was found in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. This vulnerability allows a remote attacker to cause excessive memory usage by exploiting an unbounded Domain Name System DNS cache. This can lead to a Denial of Service DoS condition, making the...

CVE-2026-34516

A flaw was found in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. A remote attacker could exploit this vulnerability by sending a response with an excessive number of multipart headers. This could cause the system to consume more memory than intended, leading to a...

CVE-2026-34515

A flaw was found in AIOHTTP, an asynchronous HTTP client/server framework. On Windows systems, the static resource handler may inadvertently expose sensitive information related to a NTLMv2 remote path. This information disclosure vulnerability could allow an attacker to gain insights into the...

a-mailx (=0.1.0), a2a-acl (=0.0.15) +1217 more potentially affected by CVE-2026-34525 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34525 Source advisory: SNYK:PYTHON-AIOHTTP-15873733...

a-mailx (=0.1.0), a2a-acl (=0.0.15) +1346 more potentially affected by CVE-2026-34525 via aiohttp (>=0.13.1 <=3.13.3)

aiohttp PYPI version =0.13.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34525 Source advisory: OSV:GHSA-C427-H43C-VF67...

GHSA-C427-H43C-VF67 AIOHTTP accepts duplicate Host headers

Summary Multiple Host headers were allowed in aiohttp. Impact Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly...

AIOHTTP accepts duplicate Host headers

Summary Multiple Host headers were allowed in aiohttp. Impact Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly...

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling via the processing of duplicate Host headers. An attacker can bypass security checks enforced by a reverse proxy by sending requests with multiple Host headers, potentially causing the proxy and the backend to...

a-mailx (=0.1.0), a2a-acl (=0.0.15) +1217 more potentially affected by CVE-2026-34520 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34520 Source advisory: SNYK:PYTHON-AIOHTTP-15873704...

EUVD-2026-18046

AIOHTTP's C parser llhttp accepts null bytes and control characters in response header values - header injection/security bypass...

a-mailx (=0.1.0), a2a-acl (=0.0.15) +1346 more potentially affected by CVE-2026-34520 via aiohttp (>=0.13.1 <=3.13.3)

aiohttp PYPI version =0.13.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34520 Source advisory: OSV:GHSA-63HF-3VF5-4WQF...

GHSA-63HF-3VF5-4WQF AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass

Summary The C parser the default for most installs accepted null bytes and control characters is response headers. Impact An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, request.url.origin may return a...

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting in the llhttp component. An attacker can manipulate HTTP response headers by injecting null bytes or control characters, causing headers to be interpreted differently by various components, which may lead to...

a-mailx (=0.1.0), a2a-acl (=0.0.15) +1217 more potentially affected by CVE-2026-34519 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34519 Source advisory: SNYK:PYTHON-AIOHTTP-15873731...

EUVD-2026-18044

AIOHTTP has HTTP response splitting via \r in reason phrase...

a-mailx (=0.1.0), a2a-acl (=0.0.15) +1346 more potentially affected by CVE-2026-34519 via aiohttp (>=0.13.1 <=3.13.3)

aiohttp PYPI version =0.13.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34519 Source advisory: OSV:GHSA-MWH4-6H8G-PG8W...

GHSA-MWH4-6H8G-PG8W AIOHTTP has HTTP response splitting via \r in reason phrase

Summary An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. Impact In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the...