CVE-2026-47265
7.5 HIGHAIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python
Published: 2026-06-02 · Last updated: 2026-06-05
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-346
Affected products
| Vendor | Product |
|---|---|
| aiohttp | aiohttp |
Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. If unable to upgrade, using a `Cookie` header in the `headers` parameter is not vulnerable.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-34993 — AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python (6.4 MEDIUM)
Same CWE
- CVE-2026-11624 — The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent...
- CVE-2026-45173 — Idira Identity Browser Extension (Chrome, Firefox, and Edge builds) versions prior to 26.8.1 exhibit an origin validation flaw within its...
- CVE-2026-12032 — Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromis... (3.1 LOW)
- CVE-2026-12024 — Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.115 allowed a remote attacker to bypass same origin poli... (6.5 MEDIUM)
- CVE-2026-41700 — Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking (8.1 HIGH)