PT-2026-29610

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description Multiple Host headers were permitted in AIOHTTP, potentially allowing a reverse proxy's security rules to be bypassed. This could lead to a request being processed by AIOHTTP in a privileged sub...

PT-2026-29606

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description Prior to version 3.13.4, AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, read the entire multipart form field into memory before checking the client max size limit. Thi...

PT-2026-29609

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description The C parser, used by default in most installations, allowed null bytes and control characters within response headers. An attacker could leverage this to send header values that are interpreted...

PT-2026-29607

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description When following redirects to a different origin, aiohttp removes the Authorization header while keeping the Cookie and Proxy-Authorization headers. This could lead to the leakage of sensitive...

PT-2026-29604

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description Prior to version 3.13.4, on Windows, the static resource handler in AIOHTTP may expose information about a NTLMv2 remote path. This could potentially allow an attacker to extract the hash from an...

OESA-2026-1682 python-aiohttp security update

Async http client/server framework asyncio. Security Fixes: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the...

SUSE SLES15 Security Update : python-aiohttp (SUSE-SU-2026:0859-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0859-1 advisory. - CVE-2025-69228: Fixed denial of service through large payloads bsc1256022. - CVE-2025-69226: Fixed brute-force leak of internal...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-aiohttp (SUSE-SU-2026:0858-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0858-1 advisory. - CVE-2025-69228: Fixed denial of service through large payloads bsc1256022. - CVE-2025-69226:...

Security update for python-aiohttp

This update for python-aiohttp fixes the following issues: CVE-2025-69228: Fixed denial of service through large payloads bsc1256022. CVE-2025-69226: Fixed brute-force leak of internal static file path components bsc1256020. CVE-2025-69224: Fixed unicode processing of header values could cause...

Security update for python-aiohttp

This update for python-aiohttp fixes the following issues: CVE-2025-69228: Fixed denial of service through large payloads bsc1256022. CVE-2025-69226: Fixed brute-force leak of internal static file path components bsc1256020. CVE-2025-69224: Fixed unicode processing of header values could cause...

CVE-2026-25960

vLLM is an inference and serving engine for large language models LLMs. The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the loadfromurlasync method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses...

CVE-2026-25960 SSRF Protection Bypass in vLLM

vLLM is an inference and serving engine for large language models LLMs. The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the loadfromurlasync method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses...

GHSA-V359-JJ2V-J536 vLLM has SSRF Protection Bypass

Summary The SSRF protection fix for https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc can be bypassed in the loadfromurlasync method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. Affected Component - File:...

PT-2026-24113

vLLM is an inference and serving engine for large language models LLMs. The SSRF protection fix for CVE-2026-24779 add in 0.15.1 can be bypassed in the load from url async method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. The SSRF fix uses...

aiohttp: AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb

A decompression based denial of service flaw has been discovered in the AIOHTTP python library. Library versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could...

Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 : AIOHTTP vulnerabilities (USN-8032-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8032-1 advisory. Charles Chan discovered that AIOHTTP incorrectly handled the decompression of compressed requests. A remote...

Ubuntu: Security Advisory (USN-8032-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Important: Red Hat Security Advisory: Satellite 6.18.3 Async Update

A new release is now available for Red Hat Satellite 6.18 for RHEL 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from th...

aiohttp: AIOHTTP HTTP Request/Response Smuggling

A request smuggling flaw was found in the aiohttp python library. If a pure Python version of aiohttp is installed, without the usual C extensions, for example, or if AIOHTTPNOEXTENSIONS is enabled, an attacker can execute a request smuggling attack to bypass certain firewalls or proxy protection...

RHEL 9 : Satellite 6.18.3 Async Update (Important) (RHSA-2026:2760)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:2760 advisory. Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to...