CVE-2026-34520 AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypass

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4...

CVE-2026-34520

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4...

CVE-2026-34520

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4...

CVE-2026-34520

CVE-2026-34520 affects the aiohttp project. Prior to version 3.13.4, the C parser (llhttp, default for most installs) accepted null bytes and control characters in response header values, enabling header-related issues. The issue has been patched in aiohttp 3.13.4. Per connected sources, the vuln...

CVE-2026-34520 AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypass

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4...

CVE-2026-34520

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser the default for most installs accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4...

CVE-2026-34519

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4...

CVE-2026-34519

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4...

CVE-2026-34519 AIOHTTP: HTTP response splitting via \r in reason phrase

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4...

CVE-2026-34519

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4...

CVE-2026-34519 AIOHTTP: HTTP response splitting via \r in reason phrase

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4...

CVE-2026-34519

CVE-2026-34519 affects the AIOHTTP library (asyncio-based HTTP client/server for Python). The issue occurs before version 3.13.4 where an attacker controlling the reason parameter when creating a Response can inject extra headers or similar exploits due to header injection in the reason phrase. T...

CVE-2026-34518

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4...

CVE-2026-34518

CVE-2026-34518 affects aiohttp prior to 3.13.4: during cross-origin redirects, the client/server framework drops the Authorization header but keeps Cookie and Proxy-Authorization headers. This could expose sensitive cookie-related data across origins. The issue is fixed in aiohttp 3.13.4.

CVE-2026-34518

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4...

CVE-2026-34518 AIOHTTP: Cookie and Proxy-Authorization headers leaked on cross-origin redirect

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4...

CVE-2026-34518 AIOHTTP: Cookie and Proxy-Authorization headers leaked on cross-origin redirect

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4...

CVE-2026-34517 AIOHTTP: Late size enforcement for non-file multipart fields causes memory DoS

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking clientmaxsize. This issue has been patched in version 3.13.4...

CVE-2026-34517

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking clientmaxsize. This issue has been patched in version 3.13.4...

CVE-2026-34517

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking clientmaxsize. This issue has been patched in version 3.13.4...