CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

5.3CVSS5.8AI score0.00263EPSS

UBUNTU-CVE-2026-54279

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save and then restored later with CookieJar.load lose their host-only status. This vulnerability is fixed in 3.14.1...

8.7CVSS5.8AI score0.00279EPSS

UBUNTU-CVE-2026-54277

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the maxlinesize check in parts of an HTTP request in the C parser. If using the optimised C parser the default in pre-built wheels, then an attacker may be able to send...

8.7CVSS5.8AI score0.00279EPSS

UBUNTU-CVE-2026-54274

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1...

8.7CVSS5.8AI score0.00263EPSS

UBUNTU-CVE-2026-54273

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. This...

OSV•added 2 days ago•5 views

UBUNTU-CVE-2026-54278

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. An attacker may be able to send a compressed payload in specific situations that could be...

8.7CVSS5.8AI score0.00263EPSS

Tenable Nessus•added 2 days ago•3 views

Linux Distros Unpatched Vulnerability : CVE-2026-54277

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the maxlinesize check in parts of an...

8.7CVSS5.9AI score0.00279EPSS

OSV•added 2026/06/15 8:10 p.m.•2 views

GHSA-9X8Q-7H8H-WCW9 aiohttp: Payload Response Resources Are Not Closed After Mid-Body Disconnect

Summary Payload resources are not closed correctly when a client disconnects in the middle of a write. Impact If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file...

6.3CVSS5.3AI score0.00247EPSS

OSV•added 2026/06/15 8:9 p.m.•3 views

GHSA-G3CQ-J2XW-WF74 aiohttp: Unread Compressed Request Bodies Bypass client_max_size During Cleanup

Summary During cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. Impact An attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS a zip bomb edge case. Workaround...

8.7CVSS5.3AI score0.00263EPSS

OSV•added 2026/06/15 8:8 p.m.•8 views

GHSA-2FQR-MR3J-6WP8 aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence

Summary Host-only cookies that are saved with CookieJar.save and then restored later with CookieJar.load lose their host-only status. Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed. ----- Patch:...

5.3CVSS5.4AI score0.00263EPSS

Snyk•added 2026/06/15 8:7 p.m.•8 views

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via MultipartWriter.append or Payload.headers when attacker-controlled input is included in multipart or payload headers. An attacker can inject additional headers or alter the contents of a request by supplying...

6.9CVSS5.3AI score0.00273EPSS

OSV•added 2026/06/02 8:16 p.m.•6 views

UBUNTU-CVE-2026-47265

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the cookies parameter on requests are sent after following a cross-origin redirect. If a developer uses the cookies parameter on a per-request basis then sensitive data might ...

8.7CVSS5.3AI score0.0015EPSS

OSV•added 2026/06/02 8:16 p.m.•11 views

UBUNTU-CVE-2026-34993

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using CookieJar.load with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect man...

7.3CVSS8.1AI score0.00115EPSS

Tenable Nessus•added 2026/04/03 12:0 a.m.•4 views

Linux Distros Unpatched Vulnerability : CVE-2026-34517

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire...

6.9CVSS5.4AI score0.00384EPSS

Snyk•added 2026/04/01 9:48 p.m.•3 views

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the reason parameter in the HTTP response creation process. An attacker can inject unauthorized headers or manipulate the HTTP response by supplying specially crafted input containing carriage return...

6.9CVSS5.9AI score0.00292EPSS

Snyk•added 2026/04/01 9:26 p.m.•1 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the static resource handler on Windows. An attacker can extract NTLMv2 credential hashes by accessing specially crafted remote paths, potentially leading to credential theft. Remediation Upgrade aioht...

8.7CVSS5.9AI score0.00433EPSS