CVE-2026-34993
6.4 MEDIUMAIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python
Published: 2026-06-02 · Last updated: 2026-06-05
Severity and scoring
- CVSS
- 6.4 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L
- CWE
- CWE-502
Affected products
| Vendor | Product |
|---|---|
| aiohttp | aiohttp |
Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-47265 — AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python (7.5 HIGH)
Same CWE
- CVE-2026-12191 — A vulnerability was found in Comma AI Openpilot 0.11 (7.8 HIGH)
- CVE-2026-41699 — Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries (8.1 HIGH)
- CVE-2026-20251 — In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, ... (8.8 HIGH)
- CVE-2026-53435 — In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined i... (8.8 HIGH)
- CVE-2026-52751 — Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthe... (8.8 HIGH)