VulnerableCode Package Details - pkg:rpm/redhat/python-aiohttp@3.9.4-1?arch=el8pc

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:rpm/redhat/python-aiohttp@3.9.4-1?arch=el8pc

purl	pkg:rpm/redhat/python-aiohttp@3.9.4-1?arch=el8pc

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	3.1

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-tn28-662n-vug8 Aliases: CVE-2024-27306 GHSA-7gpw-8wmc-pm8g	aiohttp Cross-site Scripting vulnerability on index pages for static file handling ### Summary A XSS vulnerability exists on index pages for static file handling. ### Details When using `web.static(..., show_index=True)`, the resulting index pages do not escape file names. If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks. ### Workaround We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. ----- Patch: https://github.com/aio-libs/aiohttp/pull/8319/files	There are no reported fixed by versions.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:48:06.540677+00:00	RedHat Importer	Affected by	VCID-tn28-662n-vug8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-27306.json	38.0.0