CVE-2026-34993

EUVD-2026-34001
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.4 MEDIUM
LOCAL
HIGH
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
aiohttpaiohttp
𝑥
< 3.14.0
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
Red HatRed Hat OpenShift AI 2.25
1780078807 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 2.25
1780078840 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 2.25
1780069179 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 2.25
1780069181 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782887848 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1782472374 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782726504 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132167 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132207 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132237 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132240 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132286 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132236 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132163 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782132297 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.4
1782133907 ≤
𝑥
< *
ADP
Debian logo
Debian Releases
Debian Product
Codename
python-aiohttp
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
3.14.1-4
fixed
sid
3.14.1-4
fixed
trixie
no-dsa
trixie (security)
vulnerable