| 0 |
| url |
VCID-19q4-vzzb-8uca |
| vulnerability_id |
VCID-19q4-vzzb-8uca |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34519 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.11693 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.1165 |
| published_at |
2026-04-29T12:55:00Z |
|
| 2 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.11732 |
| published_at |
2026-04-26T12:55:00Z |
|
| 3 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.11778 |
| published_at |
2026-04-24T12:55:00Z |
|
| 4 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.1181 |
| published_at |
2026-04-21T12:55:00Z |
|
| 5 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.12798 |
| published_at |
2026-05-05T12:55:00Z |
|
| 6 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13105 |
| published_at |
2026-05-14T12:55:00Z |
|
| 7 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13032 |
| published_at |
2026-05-12T12:55:00Z |
|
| 8 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13007 |
| published_at |
2026-05-11T12:55:00Z |
|
| 9 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13019 |
| published_at |
2026-05-09T12:55:00Z |
|
| 10 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.12951 |
| published_at |
2026-05-07T12:55:00Z |
|
| 11 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13791 |
| published_at |
2026-04-04T12:55:00Z |
|
| 12 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13732 |
| published_at |
2026-04-02T12:55:00Z |
|
| 13 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.18423 |
| published_at |
2026-04-09T12:55:00Z |
|
| 14 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.18422 |
| published_at |
2026-04-11T12:55:00Z |
|
| 15 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.18268 |
| published_at |
2026-04-16T12:55:00Z |
|
| 16 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.18323 |
| published_at |
2026-04-13T12:55:00Z |
|
| 17 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.18375 |
| published_at |
2026-04-12T12:55:00Z |
|
| 18 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.18287 |
| published_at |
2026-04-07T12:55:00Z |
|
| 19 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.1837 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34519 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-34519, GHSA-mwh4-6h8g-pg8w
|
| risk_score |
2.4 |
| exploitability |
0.5 |
| weighted_severity |
4.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-19q4-vzzb-8uca |
|
| 1 |
| url |
VCID-5f1f-mrwv-zucz |
| vulnerability_id |
VCID-5f1f-mrwv-zucz |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34513 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.122 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.12245 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16263 |
| published_at |
2026-04-24T12:55:00Z |
|
| 3 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16369 |
| published_at |
2026-04-21T12:55:00Z |
|
| 4 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16335 |
| published_at |
2026-04-18T12:55:00Z |
|
| 5 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16315 |
| published_at |
2026-04-16T12:55:00Z |
|
| 6 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16386 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16446 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16485 |
| published_at |
2026-04-11T12:55:00Z |
|
| 9 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.165 |
| published_at |
2026-04-09T12:55:00Z |
|
| 10 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16355 |
| published_at |
2026-04-07T12:55:00Z |
|
| 11 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16441 |
| published_at |
2026-04-08T12:55:00Z |
|
| 12 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16218 |
| published_at |
2026-04-29T12:55:00Z |
|
| 13 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16259 |
| published_at |
2026-04-26T12:55:00Z |
|
| 14 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17815 |
| published_at |
2026-05-14T12:55:00Z |
|
| 15 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17544 |
| published_at |
2026-05-05T12:55:00Z |
|
| 16 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17637 |
| published_at |
2026-05-07T12:55:00Z |
|
| 17 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17738 |
| published_at |
2026-05-09T12:55:00Z |
|
| 18 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17698 |
| published_at |
2026-05-11T12:55:00Z |
|
| 19 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17736 |
| published_at |
2026-05-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34513 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-34513, GHSA-hcc4-c3v8-rx92
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5f1f-mrwv-zucz |
|
| 2 |
| url |
VCID-88cm-cxp9-ekgn |
| vulnerability_id |
VCID-88cm-cxp9-ekgn |
| summary |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-21330 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65898 |
| published_at |
2026-05-14T12:55:00Z |
|
| 1 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65842 |
| published_at |
2026-05-12T12:55:00Z |
|
| 2 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65823 |
| published_at |
2026-05-11T12:55:00Z |
|
| 3 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65853 |
| published_at |
2026-05-09T12:55:00Z |
|
| 4 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65809 |
| published_at |
2026-05-07T12:55:00Z |
|
| 5 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.6576 |
| published_at |
2026-05-05T12:55:00Z |
|
| 6 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65786 |
| published_at |
2026-04-29T12:55:00Z |
|
| 7 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65775 |
| published_at |
2026-04-24T12:55:00Z |
|
| 8 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65777 |
| published_at |
2026-04-18T12:55:00Z |
|
| 9 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65643 |
| published_at |
2026-04-01T12:55:00Z |
|
| 10 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65758 |
| published_at |
2026-04-12T12:55:00Z |
|
| 11 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65772 |
| published_at |
2026-04-11T12:55:00Z |
|
| 12 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65751 |
| published_at |
2026-04-09T12:55:00Z |
|
| 13 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65739 |
| published_at |
2026-04-08T12:55:00Z |
|
| 14 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65688 |
| published_at |
2026-04-07T12:55:00Z |
|
| 15 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65722 |
| published_at |
2026-04-04T12:55:00Z |
|
| 16 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65692 |
| published_at |
2026-04-02T12:55:00Z |
|
| 17 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65763 |
| published_at |
2026-04-21T12:55:00Z |
|
| 18 |
| value |
0.00494 |
| scoring_system |
epss |
| scoring_elements |
0.65728 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-21330 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/aio-libs/aiohttp |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/aio-libs/aiohttp |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
| reference_url |
https://pypi.org/project/aiohttp |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://pypi.org/project/aiohttp |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/aiohttp@3.7.4 |
| purl |
pkg:pypi/aiohttp@3.7.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-19q4-vzzb-8uca |
|
| 1 |
| vulnerability |
VCID-5f1f-mrwv-zucz |
|
| 2 |
| vulnerability |
VCID-bcuu-jvzt-6fhn |
|
| 3 |
| vulnerability |
VCID-bhkk-2b7c-wfgr |
|
| 4 |
| vulnerability |
VCID-cg9h-fysf-xygf |
|
| 5 |
| vulnerability |
VCID-d3pa-kwgz-vuag |
|
| 6 |
| vulnerability |
VCID-dr2r-7qda-tfh5 |
|
| 7 |
| vulnerability |
VCID-drqp-x9gc-2qd3 |
|
| 8 |
| vulnerability |
VCID-ft9z-nd6x-27dz |
|
| 9 |
| vulnerability |
VCID-g4rj-1kzy-pkft |
|
| 10 |
| vulnerability |
VCID-hyh4-58xy-xfge |
|
| 11 |
| vulnerability |
VCID-jxqg-x9dh-z3hb |
|
| 12 |
| vulnerability |
VCID-k122-7d38-2ug5 |
|
| 13 |
| vulnerability |
VCID-kf4p-q9n9-ayhn |
|
| 14 |
| vulnerability |
VCID-peyu-fxyx-ayde |
|
| 15 |
| vulnerability |
VCID-pmr9-w1fc-93cm |
|
| 16 |
| vulnerability |
VCID-pqus-ew4j-k7da |
|
| 17 |
| vulnerability |
VCID-qrus-4szm-c3bj |
|
| 18 |
| vulnerability |
VCID-qt9z-6kwe-wbht |
|
| 19 |
| vulnerability |
VCID-sjws-ddnq-fke2 |
|
| 20 |
| vulnerability |
VCID-t2aj-cszz-tyd7 |
|
| 21 |
| vulnerability |
VCID-t9gx-etxx-vkgb |
|
| 22 |
| vulnerability |
VCID-tmjw-8cdt-7yf7 |
|
| 23 |
| vulnerability |
VCID-tn28-662n-vug8 |
|
| 24 |
| vulnerability |
VCID-ttq3-65ny-skdg |
|
| 25 |
| vulnerability |
VCID-ue33-na1g-rqa7 |
|
| 26 |
| vulnerability |
VCID-vqvz-jfqh-jkaz |
|
| 27 |
| vulnerability |
VCID-zf8d-kxf1-sqds |
|
| 28 |
| vulnerability |
VCID-zm3a-mf2z-xfcm |
|
| 29 |
| vulnerability |
VCID-zrgm-47ph-x3g3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.7.4 |
|
|
| aliases |
CVE-2021-21330, GHSA-v6wp-4m6f-gcjg, PYSEC-2021-76
|
| risk_score |
3.7 |
| exploitability |
0.5 |
| weighted_severity |
7.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-88cm-cxp9-ekgn |
|
| 3 |
| url |
VCID-bcuu-jvzt-6fhn |
| vulnerability_id |
VCID-bcuu-jvzt-6fhn |
| summary |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-49081 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.63955 |
| published_at |
2026-05-05T12:55:00Z |
|
| 1 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.64091 |
| published_at |
2026-05-14T12:55:00Z |
|
| 2 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.64039 |
| published_at |
2026-05-12T12:55:00Z |
|
| 3 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.64013 |
| published_at |
2026-05-11T12:55:00Z |
|
| 4 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.64046 |
| published_at |
2026-05-09T12:55:00Z |
|
| 5 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.63999 |
| published_at |
2026-05-07T12:55:00Z |
|
| 6 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.63983 |
| published_at |
2026-04-29T12:55:00Z |
|
| 7 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.63985 |
| published_at |
2026-04-26T12:55:00Z |
|
| 8 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.63973 |
| published_at |
2026-04-24T12:55:00Z |
|
| 9 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.63965 |
| published_at |
2026-04-18T12:55:00Z |
|
| 10 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.6392 |
| published_at |
2026-04-13T12:55:00Z |
|
| 11 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.63953 |
| published_at |
2026-04-12T12:55:00Z |
|
| 12 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.63967 |
| published_at |
2026-04-11T12:55:00Z |
|
| 13 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.63902 |
| published_at |
2026-04-02T12:55:00Z |
|
| 14 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.63928 |
| published_at |
2026-04-04T12:55:00Z |
|
| 15 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.63886 |
| published_at |
2026-04-07T12:55:00Z |
|
| 16 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.63937 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-49081 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/aio-libs/aiohttp |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/aio-libs/aiohttp |
|
| 6 |
|
| 7 |
| reference_url |
https://github.com/aio-libs/aiohttp/pull/7835/files |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
7.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/aio-libs/aiohttp/pull/7835/files |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/aiohttp@3.9.0 |
| purl |
pkg:pypi/aiohttp@3.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-19q4-vzzb-8uca |
|
| 1 |
| vulnerability |
VCID-5f1f-mrwv-zucz |
|
| 2 |
| vulnerability |
VCID-bhkk-2b7c-wfgr |
|
| 3 |
| vulnerability |
VCID-cg9h-fysf-xygf |
|
| 4 |
| vulnerability |
VCID-d3pa-kwgz-vuag |
|
| 5 |
| vulnerability |
VCID-dr2r-7qda-tfh5 |
|
| 6 |
| vulnerability |
VCID-drqp-x9gc-2qd3 |
|
| 7 |
| vulnerability |
VCID-ft9z-nd6x-27dz |
|
| 8 |
| vulnerability |
VCID-g4rj-1kzy-pkft |
|
| 9 |
| vulnerability |
VCID-hyh4-58xy-xfge |
|
| 10 |
| vulnerability |
VCID-jxqg-x9dh-z3hb |
|
| 11 |
| vulnerability |
VCID-k122-7d38-2ug5 |
|
| 12 |
| vulnerability |
VCID-kf4p-q9n9-ayhn |
|
| 13 |
| vulnerability |
VCID-peyu-fxyx-ayde |
|
| 14 |
| vulnerability |
VCID-pqus-ew4j-k7da |
|
| 15 |
| vulnerability |
VCID-qrus-4szm-c3bj |
|
| 16 |
| vulnerability |
VCID-qt9z-6kwe-wbht |
|
| 17 |
| vulnerability |
VCID-sjws-ddnq-fke2 |
|
| 18 |
| vulnerability |
VCID-t9gx-etxx-vkgb |
|
| 19 |
| vulnerability |
VCID-tmjw-8cdt-7yf7 |
|
| 20 |
| vulnerability |
VCID-tn28-662n-vug8 |
|
| 21 |
| vulnerability |
VCID-vqvz-jfqh-jkaz |
|
| 22 |
| vulnerability |
VCID-zm3a-mf2z-xfcm |
|
| 23 |
| vulnerability |
VCID-zrgm-47ph-x3g3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.0 |
|
|
| aliases |
CVE-2023-49081, GHSA-q3qx-c6g2-7pw2, PYSEC-2023-250
|
| risk_score |
3.2 |
| exploitability |
0.5 |
| weighted_severity |
6.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bcuu-jvzt-6fhn |
|
| 4 |
| url |
VCID-bhkk-2b7c-wfgr |
| vulnerability_id |
VCID-bhkk-2b7c-wfgr |
| summary |
aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests
### Summary
An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.
### Impact
An attacker can stop the application from serving requests after sending a single request.
-------
For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in `_read_chunk_from_length()`):
```diff
diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py
index 227be605c..71fc2654a 100644
--- a/aiohttp/multipart.py
+++ b/aiohttp/multipart.py
@@ -338,6 +338,8 @@ class BodyPartReader:
assert self._length is not None, "Content-Length required for chunked read"
chunk_size = min(size, self._length - self._read_bytes)
chunk = await self._content.read(chunk_size)
+ if self._content.at_eof():
+ self._at_eof = True
return chunk
async def _read_chunk_from_stream(self, size: int) -> bytes:
```
This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in:
https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19
https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597
https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866 |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-30251 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00331 |
| scoring_system |
epss |
| scoring_elements |
0.56062 |
| published_at |
2026-05-14T12:55:00Z |
|
| 1 |
| value |
0.00331 |
| scoring_system |
epss |
| scoring_elements |
0.56005 |
| published_at |
2026-05-12T12:55:00Z |
|
| 2 |
| value |
0.00331 |
| scoring_system |
epss |
| scoring_elements |
0.55982 |
| published_at |
2026-05-11T12:55:00Z |
|
| 3 |
| value |
0.00331 |
| scoring_system |
epss |
| scoring_elements |
0.56032 |
| published_at |
2026-05-09T12:55:00Z |
|
| 4 |
| value |
0.00331 |
| scoring_system |
epss |
| scoring_elements |
0.5597 |
| published_at |
2026-05-07T12:55:00Z |
|
| 5 |
| value |
0.00331 |
| scoring_system |
epss |
| scoring_elements |
0.56051 |
| published_at |
2026-04-21T12:55:00Z |
|
| 6 |
| value |
0.00331 |
| scoring_system |
epss |
| scoring_elements |
0.55978 |
| published_at |
2026-04-24T12:55:00Z |
|
| 7 |
| value |
0.00331 |
| scoring_system |
epss |
| scoring_elements |
0.55998 |
| published_at |
2026-04-26T12:55:00Z |
|
| 8 |
| value |
0.00331 |
| scoring_system |
epss |
| scoring_elements |
0.55922 |
| published_at |
2026-05-05T12:55:00Z |
|
| 9 |
| value |
0.00331 |
| scoring_system |
epss |
| scoring_elements |
0.55973 |
| published_at |
2026-04-29T12:55:00Z |
|
| 10 |
| value |
0.00359 |
| scoring_system |
epss |
| scoring_elements |
0.58097 |
| published_at |
2026-04-07T12:55:00Z |
|
| 11 |
| value |
0.00359 |
| scoring_system |
epss |
| scoring_elements |
0.58159 |
| published_at |
2026-04-18T12:55:00Z |
|
| 12 |
| value |
0.00359 |
| scoring_system |
epss |
| scoring_elements |
0.58128 |
| published_at |
2026-04-13T12:55:00Z |
|
| 13 |
| value |
0.00359 |
| scoring_system |
epss |
| scoring_elements |
0.58147 |
| published_at |
2026-04-12T12:55:00Z |
|
| 14 |
| value |
0.00359 |
| scoring_system |
epss |
| scoring_elements |
0.58171 |
| published_at |
2026-04-11T12:55:00Z |
|
| 15 |
| value |
0.00359 |
| scoring_system |
epss |
| scoring_elements |
0.58155 |
| published_at |
2026-04-09T12:55:00Z |
|
| 16 |
| value |
0.00359 |
| scoring_system |
epss |
| scoring_elements |
0.58101 |
| published_at |
2026-04-02T12:55:00Z |
|
| 17 |
| value |
0.00359 |
| scoring_system |
epss |
| scoring_elements |
0.58123 |
| published_at |
2026-04-04T12:55:00Z |
|
| 18 |
| value |
0.00359 |
| scoring_system |
epss |
| scoring_elements |
0.58151 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-30251 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/aiohttp@3.9.4 |
| purl |
pkg:pypi/aiohttp@3.9.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-19q4-vzzb-8uca |
|
| 1 |
| vulnerability |
VCID-5f1f-mrwv-zucz |
|
| 2 |
| vulnerability |
VCID-cg9h-fysf-xygf |
|
| 3 |
| vulnerability |
VCID-d3pa-kwgz-vuag |
|
| 4 |
| vulnerability |
VCID-dr2r-7qda-tfh5 |
|
| 5 |
| vulnerability |
VCID-drqp-x9gc-2qd3 |
|
| 6 |
| vulnerability |
VCID-ft9z-nd6x-27dz |
|
| 7 |
| vulnerability |
VCID-g4rj-1kzy-pkft |
|
| 8 |
| vulnerability |
VCID-hyh4-58xy-xfge |
|
| 9 |
| vulnerability |
VCID-k122-7d38-2ug5 |
|
| 10 |
| vulnerability |
VCID-kf4p-q9n9-ayhn |
|
| 11 |
| vulnerability |
VCID-peyu-fxyx-ayde |
|
| 12 |
| vulnerability |
VCID-qrus-4szm-c3bj |
|
| 13 |
| vulnerability |
VCID-qt9z-6kwe-wbht |
|
| 14 |
| vulnerability |
VCID-sjws-ddnq-fke2 |
|
| 15 |
| vulnerability |
VCID-t9gx-etxx-vkgb |
|
| 16 |
| vulnerability |
VCID-tmjw-8cdt-7yf7 |
|
| 17 |
| vulnerability |
VCID-vqvz-jfqh-jkaz |
|
| 18 |
| vulnerability |
VCID-zm3a-mf2z-xfcm |
|
| 19 |
| vulnerability |
VCID-zrgm-47ph-x3g3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.4 |
|
|
| aliases |
CVE-2024-30251, GHSA-5m98-qgg9-wh84
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bhkk-2b7c-wfgr |
|
| 5 |
| url |
VCID-cg9h-fysf-xygf |
| vulnerability_id |
VCID-cg9h-fysf-xygf |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34516 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11462 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.122 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.0005 |
| scoring_system |
epss |
| scoring_elements |
0.1543 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.0005 |
| scoring_system |
epss |
| scoring_elements |
0.15468 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.0005 |
| scoring_system |
epss |
| scoring_elements |
0.15418 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.0005 |
| scoring_system |
epss |
| scoring_elements |
0.1533 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.0005 |
| scoring_system |
epss |
| scoring_elements |
0.15325 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.0005 |
| scoring_system |
epss |
| scoring_elements |
0.15391 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16218 |
| published_at |
2026-04-29T12:55:00Z |
|
| 9 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16369 |
| published_at |
2026-04-21T12:55:00Z |
|
| 10 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16335 |
| published_at |
2026-04-18T12:55:00Z |
|
| 11 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16315 |
| published_at |
2026-04-16T12:55:00Z |
|
| 12 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16259 |
| published_at |
2026-04-26T12:55:00Z |
|
| 13 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16263 |
| published_at |
2026-04-24T12:55:00Z |
|
| 14 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17815 |
| published_at |
2026-05-14T12:55:00Z |
|
| 15 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17544 |
| published_at |
2026-05-05T12:55:00Z |
|
| 16 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17637 |
| published_at |
2026-05-07T12:55:00Z |
|
| 17 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17738 |
| published_at |
2026-05-09T12:55:00Z |
|
| 18 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17698 |
| published_at |
2026-05-11T12:55:00Z |
|
| 19 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17736 |
| published_at |
2026-05-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34516 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/aio-libs/aiohttp |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/aio-libs/aiohttp |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-34516, GHSA-m5qp-6w8w-w647
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cg9h-fysf-xygf |
|
| 6 |
| url |
VCID-d3pa-kwgz-vuag |
| vulnerability_id |
VCID-d3pa-kwgz-vuag |
| summary |
AIOHTTP vulnerable to denial of service through large payloads
### Summary
A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing.
### Impact
If an application includes a handler that uses the `Request.post()` method, an attacker may be able to freeze the server by exhausting the memory.
-----
Patch: https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60 |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69228 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.1932 |
| published_at |
2026-05-05T12:55:00Z |
|
| 1 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.1943 |
| published_at |
2026-04-29T12:55:00Z |
|
| 2 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19467 |
| published_at |
2026-04-26T12:55:00Z |
|
| 3 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19479 |
| published_at |
2026-04-24T12:55:00Z |
|
| 4 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19584 |
| published_at |
2026-04-21T12:55:00Z |
|
| 5 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19572 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19565 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19587 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19646 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19695 |
| published_at |
2026-04-11T12:55:00Z |
|
| 10 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19782 |
| published_at |
2026-04-02T12:55:00Z |
|
| 11 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19689 |
| published_at |
2026-04-09T12:55:00Z |
|
| 12 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19637 |
| published_at |
2026-04-08T12:55:00Z |
|
| 13 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19557 |
| published_at |
2026-04-07T12:55:00Z |
|
| 14 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19835 |
| published_at |
2026-04-04T12:55:00Z |
|
| 15 |
| value |
0.00082 |
| scoring_system |
epss |
| scoring_elements |
0.23842 |
| published_at |
2026-05-14T12:55:00Z |
|
| 16 |
| value |
0.00082 |
| scoring_system |
epss |
| scoring_elements |
0.23714 |
| published_at |
2026-05-07T12:55:00Z |
|
| 17 |
| value |
0.00082 |
| scoring_system |
epss |
| scoring_elements |
0.23784 |
| published_at |
2026-05-09T12:55:00Z |
|
| 18 |
| value |
0.00082 |
| scoring_system |
epss |
| scoring_elements |
0.23729 |
| published_at |
2026-05-11T12:55:00Z |
|
| 19 |
| value |
0.00082 |
| scoring_system |
epss |
| scoring_elements |
0.23748 |
| published_at |
2026-05-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69228 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-69228, GHSA-6jhg-hg63-jvvf
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d3pa-kwgz-vuag |
|
| 7 |
| url |
VCID-dr2r-7qda-tfh5 |
| vulnerability_id |
VCID-dr2r-7qda-tfh5 |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34515 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.18186 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.18133 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.18942 |
| published_at |
2026-04-21T12:55:00Z |
|
| 3 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.18918 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.18931 |
| published_at |
2026-04-18T12:55:00Z |
|
| 5 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.18769 |
| published_at |
2026-04-29T12:55:00Z |
|
| 6 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.18814 |
| published_at |
2026-04-26T12:55:00Z |
|
| 7 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.18834 |
| published_at |
2026-04-24T12:55:00Z |
|
| 8 |
| value |
0.00066 |
| scoring_system |
epss |
| scoring_elements |
0.20319 |
| published_at |
2026-05-11T12:55:00Z |
|
| 9 |
| value |
0.00066 |
| scoring_system |
epss |
| scoring_elements |
0.20337 |
| published_at |
2026-05-12T12:55:00Z |
|
| 10 |
| value |
0.00066 |
| scoring_system |
epss |
| scoring_elements |
0.20353 |
| published_at |
2026-05-09T12:55:00Z |
|
| 11 |
| value |
0.00066 |
| scoring_system |
epss |
| scoring_elements |
0.20424 |
| published_at |
2026-05-14T12:55:00Z |
|
| 12 |
| value |
0.00066 |
| scoring_system |
epss |
| scoring_elements |
0.20268 |
| published_at |
2026-05-07T12:55:00Z |
|
| 13 |
| value |
0.00066 |
| scoring_system |
epss |
| scoring_elements |
0.20195 |
| published_at |
2026-05-05T12:55:00Z |
|
| 14 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.22744 |
| published_at |
2026-04-12T12:55:00Z |
|
| 15 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.22761 |
| published_at |
2026-04-09T12:55:00Z |
|
| 16 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.22783 |
| published_at |
2026-04-11T12:55:00Z |
|
| 17 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.22686 |
| published_at |
2026-04-13T12:55:00Z |
|
| 18 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.22635 |
| published_at |
2026-04-07T12:55:00Z |
|
| 19 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.2271 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34515 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-34515, GHSA-p998-jp59-783m
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dr2r-7qda-tfh5 |
|
| 8 |
| url |
VCID-drqp-x9gc-2qd3 |
| vulnerability_id |
VCID-drqp-x9gc-2qd3 |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34518 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11175 |
| published_at |
2026-04-29T12:55:00Z |
|
| 1 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11236 |
| published_at |
2026-04-26T12:55:00Z |
|
| 2 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11277 |
| published_at |
2026-04-24T12:55:00Z |
|
| 3 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11337 |
| published_at |
2026-04-21T12:55:00Z |
|
| 4 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11208 |
| published_at |
2026-04-18T12:55:00Z |
|
| 5 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.12245 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.122 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.12492 |
| published_at |
2026-05-12T12:55:00Z |
|
| 8 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.12467 |
| published_at |
2026-05-11T12:55:00Z |
|
| 9 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.12472 |
| published_at |
2026-05-09T12:55:00Z |
|
| 10 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.12269 |
| published_at |
2026-05-05T12:55:00Z |
|
| 11 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.12406 |
| published_at |
2026-05-07T12:55:00Z |
|
| 12 |
| value |
0.00041 |
| scoring_system |
epss |
| scoring_elements |
0.12558 |
| published_at |
2026-05-14T12:55:00Z |
|
| 13 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.165 |
| published_at |
2026-04-09T12:55:00Z |
|
| 14 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16355 |
| published_at |
2026-04-07T12:55:00Z |
|
| 15 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16441 |
| published_at |
2026-04-08T12:55:00Z |
|
| 16 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16485 |
| published_at |
2026-04-11T12:55:00Z |
|
| 17 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16446 |
| published_at |
2026-04-12T12:55:00Z |
|
| 18 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16386 |
| published_at |
2026-04-13T12:55:00Z |
|
| 19 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16325 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34518 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/aio-libs/aiohttp |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
2.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/aio-libs/aiohttp |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-34518, GHSA-966j-vmvw-g2g9
|
| risk_score |
2.4 |
| exploitability |
0.5 |
| weighted_severity |
4.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-drqp-x9gc-2qd3 |
|
| 9 |
| url |
VCID-ft9z-nd6x-27dz |
| vulnerability_id |
VCID-ft9z-nd6x-27dz |
| summary |
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
### Summary
The parser allows non-ASCII decimals to be present in the Range header.
### Impact
There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability.
----
Patch: https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96 |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69225 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13725 |
| published_at |
2026-05-05T12:55:00Z |
|
| 1 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13843 |
| published_at |
2026-04-29T12:55:00Z |
|
| 2 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.1391 |
| published_at |
2026-04-26T12:55:00Z |
|
| 3 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13936 |
| published_at |
2026-04-24T12:55:00Z |
|
| 4 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13905 |
| published_at |
2026-04-21T12:55:00Z |
|
| 5 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13833 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13839 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13935 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13985 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.14022 |
| published_at |
2026-04-11T12:55:00Z |
|
| 10 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.14072 |
| published_at |
2026-04-02T12:55:00Z |
|
| 11 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.14067 |
| published_at |
2026-04-09T12:55:00Z |
|
| 12 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.14014 |
| published_at |
2026-04-08T12:55:00Z |
|
| 13 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13932 |
| published_at |
2026-04-07T12:55:00Z |
|
| 14 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.14126 |
| published_at |
2026-04-04T12:55:00Z |
|
| 15 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17353 |
| published_at |
2026-05-14T12:55:00Z |
|
| 16 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17169 |
| published_at |
2026-05-07T12:55:00Z |
|
| 17 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17262 |
| published_at |
2026-05-09T12:55:00Z |
|
| 18 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17231 |
| published_at |
2026-05-11T12:55:00Z |
|
| 19 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.1727 |
| published_at |
2026-05-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69225 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-69225, GHSA-mqqc-3gqh-h2x8
|
| risk_score |
2.5 |
| exploitability |
0.5 |
| weighted_severity |
4.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ft9z-nd6x-27dz |
|
| 10 |
| url |
VCID-g4rj-1kzy-pkft |
| vulnerability_id |
VCID-g4rj-1kzy-pkft |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34525 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00085 |
| scoring_system |
epss |
| scoring_elements |
0.24814 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00085 |
| scoring_system |
epss |
| scoring_elements |
0.24852 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.2782 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27777 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27709 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27734 |
| published_at |
2026-04-16T12:55:00Z |
|
| 6 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27726 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27783 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27825 |
| published_at |
2026-04-11T12:55:00Z |
|
| 9 |
| value |
0.00119 |
| scoring_system |
epss |
| scoring_elements |
0.30582 |
| published_at |
2026-04-26T12:55:00Z |
|
| 10 |
| value |
0.00119 |
| scoring_system |
epss |
| scoring_elements |
0.3086 |
| published_at |
2026-04-21T12:55:00Z |
|
| 11 |
| value |
0.00119 |
| scoring_system |
epss |
| scoring_elements |
0.30894 |
| published_at |
2026-04-18T12:55:00Z |
|
| 12 |
| value |
0.00119 |
| scoring_system |
epss |
| scoring_elements |
0.30498 |
| published_at |
2026-04-29T12:55:00Z |
|
| 13 |
| value |
0.00119 |
| scoring_system |
epss |
| scoring_elements |
0.30698 |
| published_at |
2026-04-24T12:55:00Z |
|
| 14 |
| value |
0.0013 |
| scoring_system |
epss |
| scoring_elements |
0.32024 |
| published_at |
2026-05-14T12:55:00Z |
|
| 15 |
| value |
0.0013 |
| scoring_system |
epss |
| scoring_elements |
0.31952 |
| published_at |
2026-05-05T12:55:00Z |
|
| 16 |
| value |
0.0013 |
| scoring_system |
epss |
| scoring_elements |
0.32018 |
| published_at |
2026-05-07T12:55:00Z |
|
| 17 |
| value |
0.0013 |
| scoring_system |
epss |
| scoring_elements |
0.32027 |
| published_at |
2026-05-09T12:55:00Z |
|
| 18 |
| value |
0.0013 |
| scoring_system |
epss |
| scoring_elements |
0.31932 |
| published_at |
2026-05-11T12:55:00Z |
|
| 19 |
| value |
0.0013 |
| scoring_system |
epss |
| scoring_elements |
0.31955 |
| published_at |
2026-05-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34525 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-34525, GHSA-c427-h43c-vf67
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g4rj-1kzy-pkft |
|
| 11 |
| url |
VCID-hyh4-58xy-xfge |
| vulnerability_id |
VCID-hyh4-58xy-xfge |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34517 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.12245 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.122 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.15817 |
| published_at |
2026-04-24T12:55:00Z |
|
| 3 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.15796 |
| published_at |
2026-04-21T12:55:00Z |
|
| 4 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.15753 |
| published_at |
2026-04-18T12:55:00Z |
|
| 5 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.15744 |
| published_at |
2026-04-16T12:55:00Z |
|
| 6 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.15771 |
| published_at |
2026-04-29T12:55:00Z |
|
| 7 |
| value |
0.00051 |
| scoring_system |
epss |
| scoring_elements |
0.15814 |
| published_at |
2026-04-26T12:55:00Z |
|
| 8 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16485 |
| published_at |
2026-04-11T12:55:00Z |
|
| 9 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.165 |
| published_at |
2026-04-09T12:55:00Z |
|
| 10 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16441 |
| published_at |
2026-04-08T12:55:00Z |
|
| 11 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16355 |
| published_at |
2026-04-07T12:55:00Z |
|
| 12 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16386 |
| published_at |
2026-04-13T12:55:00Z |
|
| 13 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16446 |
| published_at |
2026-04-12T12:55:00Z |
|
| 14 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17369 |
| published_at |
2026-05-14T12:55:00Z |
|
| 15 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17095 |
| published_at |
2026-05-05T12:55:00Z |
|
| 16 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17184 |
| published_at |
2026-05-07T12:55:00Z |
|
| 17 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17277 |
| published_at |
2026-05-09T12:55:00Z |
|
| 18 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17248 |
| published_at |
2026-05-11T12:55:00Z |
|
| 19 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17287 |
| published_at |
2026-05-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34517 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-34517, GHSA-3wq7-rqq7-wx6j
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hyh4-58xy-xfge |
|
| 12 |
| url |
VCID-jxqg-x9dh-z3hb |
| vulnerability_id |
VCID-jxqg-x9dh-z3hb |
| summary |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-23829 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00475 |
| scoring_system |
epss |
| scoring_elements |
0.64834 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.00475 |
| scoring_system |
epss |
| scoring_elements |
0.64816 |
| published_at |
2026-04-21T12:55:00Z |
|
| 2 |
| value |
0.00475 |
| scoring_system |
epss |
| scoring_elements |
0.64961 |
| published_at |
2026-05-14T12:55:00Z |
|
| 3 |
| value |
0.00475 |
| scoring_system |
epss |
| scoring_elements |
0.64905 |
| published_at |
2026-05-12T12:55:00Z |
|
| 4 |
| value |
0.00475 |
| scoring_system |
epss |
| scoring_elements |
0.64884 |
| published_at |
2026-05-11T12:55:00Z |
|
| 5 |
| value |
0.00475 |
| scoring_system |
epss |
| scoring_elements |
0.64915 |
| published_at |
2026-05-09T12:55:00Z |
|
| 6 |
| value |
0.00475 |
| scoring_system |
epss |
| scoring_elements |
0.64871 |
| published_at |
2026-05-07T12:55:00Z |
|
| 7 |
| value |
0.00475 |
| scoring_system |
epss |
| scoring_elements |
0.64823 |
| published_at |
2026-05-05T12:55:00Z |
|
| 8 |
| value |
0.00475 |
| scoring_system |
epss |
| scoring_elements |
0.64847 |
| published_at |
2026-04-26T12:55:00Z |
|
| 9 |
| value |
0.00475 |
| scoring_system |
epss |
| scoring_elements |
0.64843 |
| published_at |
2026-04-29T12:55:00Z |
|
| 10 |
| value |
0.00515 |
| scoring_system |
epss |
| scoring_elements |
0.66624 |
| published_at |
2026-04-13T12:55:00Z |
|
| 11 |
| value |
0.00515 |
| scoring_system |
epss |
| scoring_elements |
0.6659 |
| published_at |
2026-04-02T12:55:00Z |
|
| 12 |
| value |
0.00515 |
| scoring_system |
epss |
| scoring_elements |
0.66657 |
| published_at |
2026-04-12T12:55:00Z |
|
| 13 |
| value |
0.00515 |
| scoring_system |
epss |
| scoring_elements |
0.66617 |
| published_at |
2026-04-04T12:55:00Z |
|
| 14 |
| value |
0.00515 |
| scoring_system |
epss |
| scoring_elements |
0.66588 |
| published_at |
2026-04-07T12:55:00Z |
|
| 15 |
| value |
0.00515 |
| scoring_system |
epss |
| scoring_elements |
0.66636 |
| published_at |
2026-04-08T12:55:00Z |
|
| 16 |
| value |
0.00515 |
| scoring_system |
epss |
| scoring_elements |
0.6665 |
| published_at |
2026-04-09T12:55:00Z |
|
| 17 |
| value |
0.00515 |
| scoring_system |
epss |
| scoring_elements |
0.66669 |
| published_at |
2026-04-11T12:55:00Z |
|
| 18 |
| value |
0.00515 |
| scoring_system |
epss |
| scoring_elements |
0.66674 |
| published_at |
2026-04-18T12:55:00Z |
|
| 19 |
| value |
0.00515 |
| scoring_system |
epss |
| scoring_elements |
0.6666 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-23829 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/aio-libs/aiohttp |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/aio-libs/aiohttp |
|
| 5 |
|
| 6 |
|
| 7 |
| reference_url |
https://github.com/aio-libs/aiohttp/pull/8074 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-01T16:40:08Z/ |
|
|
| url |
https://github.com/aio-libs/aiohttp/pull/8074 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/aiohttp@3.9.2 |
| purl |
pkg:pypi/aiohttp@3.9.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-19q4-vzzb-8uca |
|
| 1 |
| vulnerability |
VCID-5f1f-mrwv-zucz |
|
| 2 |
| vulnerability |
VCID-bhkk-2b7c-wfgr |
|
| 3 |
| vulnerability |
VCID-cg9h-fysf-xygf |
|
| 4 |
| vulnerability |
VCID-d3pa-kwgz-vuag |
|
| 5 |
| vulnerability |
VCID-dr2r-7qda-tfh5 |
|
| 6 |
| vulnerability |
VCID-drqp-x9gc-2qd3 |
|
| 7 |
| vulnerability |
VCID-ft9z-nd6x-27dz |
|
| 8 |
| vulnerability |
VCID-g4rj-1kzy-pkft |
|
| 9 |
| vulnerability |
VCID-hyh4-58xy-xfge |
|
| 10 |
| vulnerability |
VCID-k122-7d38-2ug5 |
|
| 11 |
| vulnerability |
VCID-kf4p-q9n9-ayhn |
|
| 12 |
| vulnerability |
VCID-peyu-fxyx-ayde |
|
| 13 |
| vulnerability |
VCID-qrus-4szm-c3bj |
|
| 14 |
| vulnerability |
VCID-qt9z-6kwe-wbht |
|
| 15 |
| vulnerability |
VCID-sjws-ddnq-fke2 |
|
| 16 |
| vulnerability |
VCID-t9gx-etxx-vkgb |
|
| 17 |
| vulnerability |
VCID-tmjw-8cdt-7yf7 |
|
| 18 |
| vulnerability |
VCID-tn28-662n-vug8 |
|
| 19 |
| vulnerability |
VCID-vqvz-jfqh-jkaz |
|
| 20 |
| vulnerability |
VCID-zm3a-mf2z-xfcm |
|
| 21 |
| vulnerability |
VCID-zrgm-47ph-x3g3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.2 |
|
|
| aliases |
CVE-2024-23829, GHSA-8qpw-xqxj-h4r2, PYSEC-2024-26
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jxqg-x9dh-z3hb |
|
| 13 |
| url |
VCID-k122-7d38-2ug5 |
| vulnerability_id |
VCID-k122-7d38-2ug5 |
| summary |
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
### Summary
The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.
### Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.
----
Patch: https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-53643 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00078 |
| scoring_system |
epss |
| scoring_elements |
0.23078 |
| published_at |
2026-04-07T12:55:00Z |
|
| 1 |
| value |
0.00078 |
| scoring_system |
epss |
| scoring_elements |
0.23245 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00078 |
| scoring_system |
epss |
| scoring_elements |
0.23289 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00078 |
| scoring_system |
epss |
| scoring_elements |
0.23152 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00086 |
| scoring_system |
epss |
| scoring_elements |
0.24925 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00086 |
| scoring_system |
epss |
| scoring_elements |
0.24858 |
| published_at |
2026-04-16T12:55:00Z |
|
| 6 |
| value |
0.00086 |
| scoring_system |
epss |
| scoring_elements |
0.24847 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00086 |
| scoring_system |
epss |
| scoring_elements |
0.24852 |
| published_at |
2026-04-18T12:55:00Z |
|
| 8 |
| value |
0.00086 |
| scoring_system |
epss |
| scoring_elements |
0.24716 |
| published_at |
2026-04-29T12:55:00Z |
|
| 9 |
| value |
0.00086 |
| scoring_system |
epss |
| scoring_elements |
0.24762 |
| published_at |
2026-04-26T12:55:00Z |
|
| 10 |
| value |
0.00086 |
| scoring_system |
epss |
| scoring_elements |
0.24773 |
| published_at |
2026-04-24T12:55:00Z |
|
| 11 |
| value |
0.00086 |
| scoring_system |
epss |
| scoring_elements |
0.2483 |
| published_at |
2026-04-21T12:55:00Z |
|
| 12 |
| value |
0.00086 |
| scoring_system |
epss |
| scoring_elements |
0.24901 |
| published_at |
2026-04-12T12:55:00Z |
|
| 13 |
| value |
0.00086 |
| scoring_system |
epss |
| scoring_elements |
0.2494 |
| published_at |
2026-04-11T12:55:00Z |
|
| 14 |
| value |
0.00094 |
| scoring_system |
epss |
| scoring_elements |
0.25958 |
| published_at |
2026-05-09T12:55:00Z |
|
| 15 |
| value |
0.00094 |
| scoring_system |
epss |
| scoring_elements |
0.25843 |
| published_at |
2026-05-05T12:55:00Z |
|
| 16 |
| value |
0.00094 |
| scoring_system |
epss |
| scoring_elements |
0.25902 |
| published_at |
2026-05-07T12:55:00Z |
|
| 17 |
| value |
0.00341 |
| scoring_system |
epss |
| scoring_elements |
0.56846 |
| published_at |
2026-05-14T12:55:00Z |
|
| 18 |
| value |
0.00341 |
| scoring_system |
epss |
| scoring_elements |
0.56759 |
| published_at |
2026-05-11T12:55:00Z |
|
| 19 |
| value |
0.00341 |
| scoring_system |
epss |
| scoring_elements |
0.56783 |
| published_at |
2026-05-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-53643 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/aiohttp@3.12.14 |
| purl |
pkg:pypi/aiohttp@3.12.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-19q4-vzzb-8uca |
|
| 1 |
| vulnerability |
VCID-5f1f-mrwv-zucz |
|
| 2 |
| vulnerability |
VCID-cg9h-fysf-xygf |
|
| 3 |
| vulnerability |
VCID-d3pa-kwgz-vuag |
|
| 4 |
| vulnerability |
VCID-dr2r-7qda-tfh5 |
|
| 5 |
| vulnerability |
VCID-drqp-x9gc-2qd3 |
|
| 6 |
| vulnerability |
VCID-ft9z-nd6x-27dz |
|
| 7 |
| vulnerability |
VCID-g4rj-1kzy-pkft |
|
| 8 |
| vulnerability |
VCID-hyh4-58xy-xfge |
|
| 9 |
| vulnerability |
VCID-kf4p-q9n9-ayhn |
|
| 10 |
| vulnerability |
VCID-peyu-fxyx-ayde |
|
| 11 |
| vulnerability |
VCID-qrus-4szm-c3bj |
|
| 12 |
| vulnerability |
VCID-qt9z-6kwe-wbht |
|
| 13 |
| vulnerability |
VCID-sjws-ddnq-fke2 |
|
| 14 |
| vulnerability |
VCID-t9gx-etxx-vkgb |
|
| 15 |
| vulnerability |
VCID-tmjw-8cdt-7yf7 |
|
| 16 |
| vulnerability |
VCID-vqvz-jfqh-jkaz |
|
| 17 |
| vulnerability |
VCID-zm3a-mf2z-xfcm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.12.14 |
|
|
| aliases |
CVE-2025-53643, GHSA-9548-qrrj-x5pj
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k122-7d38-2ug5 |
|
| 14 |
| url |
VCID-kf4p-q9n9-ayhn |
| vulnerability_id |
VCID-kf4p-q9n9-ayhn |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-22815 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00038 |
| scoring_system |
epss |
| scoring_elements |
0.11462 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.122 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16432 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16263 |
| published_at |
2026-04-24T12:55:00Z |
|
| 4 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16369 |
| published_at |
2026-04-21T12:55:00Z |
|
| 5 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16335 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16315 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16375 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16436 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16475 |
| published_at |
2026-04-11T12:55:00Z |
|
| 10 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16346 |
| published_at |
2026-04-07T12:55:00Z |
|
| 11 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16491 |
| published_at |
2026-04-09T12:55:00Z |
|
| 12 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16218 |
| published_at |
2026-04-29T12:55:00Z |
|
| 13 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16259 |
| published_at |
2026-04-26T12:55:00Z |
|
| 14 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17736 |
| published_at |
2026-05-12T12:55:00Z |
|
| 15 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17698 |
| published_at |
2026-05-11T12:55:00Z |
|
| 16 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17738 |
| published_at |
2026-05-09T12:55:00Z |
|
| 17 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17637 |
| published_at |
2026-05-07T12:55:00Z |
|
| 18 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17544 |
| published_at |
2026-05-05T12:55:00Z |
|
| 19 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17815 |
| published_at |
2026-05-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-22815 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-22815, GHSA-w2fm-2cpv-w7v5
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kf4p-q9n9-ayhn |
|
| 15 |
| url |
VCID-peyu-fxyx-ayde |
| vulnerability_id |
VCID-peyu-fxyx-ayde |
| summary |
AIOHTTP vulnerable to DoS through chunked messages
### Summary
Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks.
### Impact
If an application makes use of the `request.read()` method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time.
-----
Patch: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712
Patch: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229 |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69229 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.1599 |
| published_at |
2026-05-05T12:55:00Z |
|
| 1 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16113 |
| published_at |
2026-04-29T12:55:00Z |
|
| 2 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16152 |
| published_at |
2026-04-26T12:55:00Z |
|
| 3 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16154 |
| published_at |
2026-04-24T12:55:00Z |
|
| 4 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16261 |
| published_at |
2026-04-21T12:55:00Z |
|
| 5 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16223 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16204 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16268 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16336 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16375 |
| published_at |
2026-04-11T12:55:00Z |
|
| 10 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16392 |
| published_at |
2026-04-09T12:55:00Z |
|
| 11 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16328 |
| published_at |
2026-04-08T12:55:00Z |
|
| 12 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16391 |
| published_at |
2026-04-02T12:55:00Z |
|
| 13 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16454 |
| published_at |
2026-04-04T12:55:00Z |
|
| 14 |
| value |
0.00052 |
| scoring_system |
epss |
| scoring_elements |
0.16243 |
| published_at |
2026-04-07T12:55:00Z |
|
| 15 |
| value |
0.00067 |
| scoring_system |
epss |
| scoring_elements |
0.20693 |
| published_at |
2026-05-14T12:55:00Z |
|
| 16 |
| value |
0.00067 |
| scoring_system |
epss |
| scoring_elements |
0.20533 |
| published_at |
2026-05-07T12:55:00Z |
|
| 17 |
| value |
0.00067 |
| scoring_system |
epss |
| scoring_elements |
0.20621 |
| published_at |
2026-05-09T12:55:00Z |
|
| 18 |
| value |
0.00067 |
| scoring_system |
epss |
| scoring_elements |
0.20597 |
| published_at |
2026-05-11T12:55:00Z |
|
| 19 |
| value |
0.00067 |
| scoring_system |
epss |
| scoring_elements |
0.20612 |
| published_at |
2026-05-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69229 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-69229, GHSA-g84x-mcqj-x9qq
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-peyu-fxyx-ayde |
|
| 16 |
| url |
VCID-pmr9-w1fc-93cm |
| vulnerability_id |
VCID-pmr9-w1fc-93cm |
| summary |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-47627 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.46988 |
| published_at |
2026-04-21T12:55:00Z |
|
| 1 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.46975 |
| published_at |
2026-05-14T12:55:00Z |
|
| 2 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.46905 |
| published_at |
2026-05-12T12:55:00Z |
|
| 3 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.46873 |
| published_at |
2026-05-11T12:55:00Z |
|
| 4 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.4693 |
| published_at |
2026-05-09T12:55:00Z |
|
| 5 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.46911 |
| published_at |
2026-05-07T12:55:00Z |
|
| 6 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.46849 |
| published_at |
2026-05-05T12:55:00Z |
|
| 7 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.46937 |
| published_at |
2026-04-29T12:55:00Z |
|
| 8 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.46985 |
| published_at |
2026-04-26T12:55:00Z |
|
| 9 |
| value |
0.00239 |
| scoring_system |
epss |
| scoring_elements |
0.46974 |
| published_at |
2026-04-24T12:55:00Z |
|
| 10 |
| value |
0.0026 |
| scoring_system |
epss |
| scoring_elements |
0.49298 |
| published_at |
2026-04-13T12:55:00Z |
|
| 11 |
| value |
0.0026 |
| scoring_system |
epss |
| scoring_elements |
0.49252 |
| published_at |
2026-04-07T12:55:00Z |
|
| 12 |
| value |
0.0026 |
| scoring_system |
epss |
| scoring_elements |
0.49307 |
| published_at |
2026-04-08T12:55:00Z |
|
| 13 |
| value |
0.0026 |
| scoring_system |
epss |
| scoring_elements |
0.49303 |
| published_at |
2026-04-09T12:55:00Z |
|
| 14 |
| value |
0.0026 |
| scoring_system |
epss |
| scoring_elements |
0.49271 |
| published_at |
2026-04-02T12:55:00Z |
|
| 15 |
| value |
0.0026 |
| scoring_system |
epss |
| scoring_elements |
0.49321 |
| published_at |
2026-04-11T12:55:00Z |
|
| 16 |
| value |
0.0026 |
| scoring_system |
epss |
| scoring_elements |
0.49295 |
| published_at |
2026-04-12T12:55:00Z |
|
| 17 |
| value |
0.0026 |
| scoring_system |
epss |
| scoring_elements |
0.49346 |
| published_at |
2026-04-16T12:55:00Z |
|
| 18 |
| value |
0.0026 |
| scoring_system |
epss |
| scoring_elements |
0.49342 |
| published_at |
2026-04-18T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-47627 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/aio-libs/aiohttp |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/aio-libs/aiohttp |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/aiohttp@3.8.6 |
| purl |
pkg:pypi/aiohttp@3.8.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-19q4-vzzb-8uca |
|
| 1 |
| vulnerability |
VCID-5f1f-mrwv-zucz |
|
| 2 |
| vulnerability |
VCID-bcuu-jvzt-6fhn |
|
| 3 |
| vulnerability |
VCID-bhkk-2b7c-wfgr |
|
| 4 |
| vulnerability |
VCID-cg9h-fysf-xygf |
|
| 5 |
| vulnerability |
VCID-d3pa-kwgz-vuag |
|
| 6 |
| vulnerability |
VCID-dr2r-7qda-tfh5 |
|
| 7 |
| vulnerability |
VCID-drqp-x9gc-2qd3 |
|
| 8 |
| vulnerability |
VCID-ft9z-nd6x-27dz |
|
| 9 |
| vulnerability |
VCID-g4rj-1kzy-pkft |
|
| 10 |
| vulnerability |
VCID-hyh4-58xy-xfge |
|
| 11 |
| vulnerability |
VCID-jxqg-x9dh-z3hb |
|
| 12 |
| vulnerability |
VCID-k122-7d38-2ug5 |
|
| 13 |
| vulnerability |
VCID-kf4p-q9n9-ayhn |
|
| 14 |
| vulnerability |
VCID-peyu-fxyx-ayde |
|
| 15 |
| vulnerability |
VCID-pqus-ew4j-k7da |
|
| 16 |
| vulnerability |
VCID-qrus-4szm-c3bj |
|
| 17 |
| vulnerability |
VCID-qt9z-6kwe-wbht |
|
| 18 |
| vulnerability |
VCID-sjws-ddnq-fke2 |
|
| 19 |
| vulnerability |
VCID-t9gx-etxx-vkgb |
|
| 20 |
| vulnerability |
VCID-tmjw-8cdt-7yf7 |
|
| 21 |
| vulnerability |
VCID-tn28-662n-vug8 |
|
| 22 |
| vulnerability |
VCID-ue33-na1g-rqa7 |
|
| 23 |
| vulnerability |
VCID-vqvz-jfqh-jkaz |
|
| 24 |
| vulnerability |
VCID-zm3a-mf2z-xfcm |
|
| 25 |
| vulnerability |
VCID-zrgm-47ph-x3g3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.8.6 |
|
|
| aliases |
CVE-2023-47627, GHSA-gfw2-4jvh-wgfg, PYSEC-2023-246
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pmr9-w1fc-93cm |
|
| 17 |
| url |
VCID-pqus-ew4j-k7da |
| vulnerability_id |
VCID-pqus-ew4j-k7da |
| summary |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-23334 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.93482 |
| scoring_system |
epss |
| scoring_elements |
0.99822 |
| published_at |
2026-04-11T12:55:00Z |
|
| 1 |
| value |
0.93482 |
| scoring_system |
epss |
| scoring_elements |
0.99824 |
| published_at |
2026-04-18T12:55:00Z |
|
| 2 |
| value |
0.93482 |
| scoring_system |
epss |
| scoring_elements |
0.99823 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.93482 |
| scoring_system |
epss |
| scoring_elements |
0.99821 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.93482 |
| scoring_system |
epss |
| scoring_elements |
0.99828 |
| published_at |
2026-05-12T12:55:00Z |
|
| 5 |
| value |
0.93482 |
| scoring_system |
epss |
| scoring_elements |
0.99827 |
| published_at |
2026-05-05T12:55:00Z |
|
| 6 |
| value |
0.93482 |
| scoring_system |
epss |
| scoring_elements |
0.99826 |
| published_at |
2026-04-24T12:55:00Z |
|
| 7 |
| value |
0.93482 |
| scoring_system |
epss |
| scoring_elements |
0.99825 |
| published_at |
2026-04-21T12:55:00Z |
|
| 8 |
| value |
0.93651 |
| scoring_system |
epss |
| scoring_elements |
0.99847 |
| published_at |
2026-05-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-23334 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/aio-libs/aiohttp |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
8.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/aio-libs/aiohttp |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/aio-libs/aiohttp/pull/8079 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
8.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T19:29:24Z/ |
|
|
| url |
https://github.com/aio-libs/aiohttp/pull/8079 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
| reference_url |
https://www.exploit-db.com/exploits/52474 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
8.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://www.exploit-db.com/exploits/52474 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/aiohttp@3.9.2 |
| purl |
pkg:pypi/aiohttp@3.9.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-19q4-vzzb-8uca |
|
| 1 |
| vulnerability |
VCID-5f1f-mrwv-zucz |
|
| 2 |
| vulnerability |
VCID-bhkk-2b7c-wfgr |
|
| 3 |
| vulnerability |
VCID-cg9h-fysf-xygf |
|
| 4 |
| vulnerability |
VCID-d3pa-kwgz-vuag |
|
| 5 |
| vulnerability |
VCID-dr2r-7qda-tfh5 |
|
| 6 |
| vulnerability |
VCID-drqp-x9gc-2qd3 |
|
| 7 |
| vulnerability |
VCID-ft9z-nd6x-27dz |
|
| 8 |
| vulnerability |
VCID-g4rj-1kzy-pkft |
|
| 9 |
| vulnerability |
VCID-hyh4-58xy-xfge |
|
| 10 |
| vulnerability |
VCID-k122-7d38-2ug5 |
|
| 11 |
| vulnerability |
VCID-kf4p-q9n9-ayhn |
|
| 12 |
| vulnerability |
VCID-peyu-fxyx-ayde |
|
| 13 |
| vulnerability |
VCID-qrus-4szm-c3bj |
|
| 14 |
| vulnerability |
VCID-qt9z-6kwe-wbht |
|
| 15 |
| vulnerability |
VCID-sjws-ddnq-fke2 |
|
| 16 |
| vulnerability |
VCID-t9gx-etxx-vkgb |
|
| 17 |
| vulnerability |
VCID-tmjw-8cdt-7yf7 |
|
| 18 |
| vulnerability |
VCID-tn28-662n-vug8 |
|
| 19 |
| vulnerability |
VCID-vqvz-jfqh-jkaz |
|
| 20 |
| vulnerability |
VCID-zm3a-mf2z-xfcm |
|
| 21 |
| vulnerability |
VCID-zrgm-47ph-x3g3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.2 |
|
|
| aliases |
CVE-2024-23334, GHSA-5h86-8mv2-jq9f, PYSEC-2024-24
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pqus-ew4j-k7da |
|
| 18 |
| url |
VCID-qrus-4szm-c3bj |
| vulnerability_id |
VCID-qrus-4szm-c3bj |
| summary |
AIOHTTP's unicode processing of header values could cause parsing discrepancies
### Summary
The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters.
### Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.
------
Patch: https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0 |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69224 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13027 |
| published_at |
2026-05-05T12:55:00Z |
|
| 1 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13124 |
| published_at |
2026-04-29T12:55:00Z |
|
| 2 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13228 |
| published_at |
2026-04-26T12:55:00Z |
|
| 3 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13256 |
| published_at |
2026-04-24T12:55:00Z |
|
| 4 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13251 |
| published_at |
2026-04-21T12:55:00Z |
|
| 5 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13164 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13165 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13259 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13308 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13346 |
| published_at |
2026-04-11T12:55:00Z |
|
| 10 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13383 |
| published_at |
2026-04-02T12:55:00Z |
|
| 11 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13376 |
| published_at |
2026-04-09T12:55:00Z |
|
| 12 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13325 |
| published_at |
2026-04-08T12:55:00Z |
|
| 13 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13447 |
| published_at |
2026-04-04T12:55:00Z |
|
| 14 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13243 |
| published_at |
2026-04-07T12:55:00Z |
|
| 15 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16569 |
| published_at |
2026-05-14T12:55:00Z |
|
| 16 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16392 |
| published_at |
2026-05-07T12:55:00Z |
|
| 17 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16498 |
| published_at |
2026-05-09T12:55:00Z |
|
| 18 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16463 |
| published_at |
2026-05-11T12:55:00Z |
|
| 19 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16497 |
| published_at |
2026-05-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69224 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-69224, GHSA-69f9-5gxw-wvc2
|
| risk_score |
2.9 |
| exploitability |
0.5 |
| weighted_severity |
5.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qrus-4szm-c3bj |
|
| 19 |
| url |
VCID-qt9z-6kwe-wbht |
| vulnerability_id |
VCID-qt9z-6kwe-wbht |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34514 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.11694 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.11693 |
| published_at |
2026-04-18T12:55:00Z |
|
| 2 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.1165 |
| published_at |
2026-04-29T12:55:00Z |
|
| 3 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.11732 |
| published_at |
2026-04-26T12:55:00Z |
|
| 4 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.11778 |
| published_at |
2026-04-24T12:55:00Z |
|
| 5 |
| value |
0.00039 |
| scoring_system |
epss |
| scoring_elements |
0.1181 |
| published_at |
2026-04-21T12:55:00Z |
|
| 6 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.12951 |
| published_at |
2026-05-07T12:55:00Z |
|
| 7 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13105 |
| published_at |
2026-05-14T12:55:00Z |
|
| 8 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13019 |
| published_at |
2026-05-09T12:55:00Z |
|
| 9 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.12798 |
| published_at |
2026-05-05T12:55:00Z |
|
| 10 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13032 |
| published_at |
2026-05-12T12:55:00Z |
|
| 11 |
| value |
0.00043 |
| scoring_system |
epss |
| scoring_elements |
0.13007 |
| published_at |
2026-05-11T12:55:00Z |
|
| 12 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13732 |
| published_at |
2026-04-02T12:55:00Z |
|
| 13 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13791 |
| published_at |
2026-04-04T12:55:00Z |
|
| 14 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.18422 |
| published_at |
2026-04-11T12:55:00Z |
|
| 15 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.18423 |
| published_at |
2026-04-09T12:55:00Z |
|
| 16 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.18375 |
| published_at |
2026-04-12T12:55:00Z |
|
| 17 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.18323 |
| published_at |
2026-04-13T12:55:00Z |
|
| 18 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.18287 |
| published_at |
2026-04-07T12:55:00Z |
|
| 19 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.1837 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34514 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-34514, GHSA-2vrm-gr82-f7m5
|
| risk_score |
2.4 |
| exploitability |
0.5 |
| weighted_severity |
4.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qt9z-6kwe-wbht |
|
| 20 |
| url |
VCID-sjws-ddnq-fke2 |
| vulnerability_id |
VCID-sjws-ddnq-fke2 |
| summary |
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
### Summary
A zip bomb can be used to execute a DoS against the aiohttp server.
### Impact
An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory.
------
Patch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69223 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.1932 |
| published_at |
2026-05-05T12:55:00Z |
|
| 1 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.1943 |
| published_at |
2026-04-29T12:55:00Z |
|
| 2 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19467 |
| published_at |
2026-04-26T12:55:00Z |
|
| 3 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19479 |
| published_at |
2026-04-24T12:55:00Z |
|
| 4 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19584 |
| published_at |
2026-04-21T12:55:00Z |
|
| 5 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19572 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19565 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19587 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19646 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19695 |
| published_at |
2026-04-11T12:55:00Z |
|
| 10 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19782 |
| published_at |
2026-04-02T12:55:00Z |
|
| 11 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19689 |
| published_at |
2026-04-09T12:55:00Z |
|
| 12 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19637 |
| published_at |
2026-04-08T12:55:00Z |
|
| 13 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19557 |
| published_at |
2026-04-07T12:55:00Z |
|
| 14 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19835 |
| published_at |
2026-04-04T12:55:00Z |
|
| 15 |
| value |
0.00082 |
| scoring_system |
epss |
| scoring_elements |
0.23842 |
| published_at |
2026-05-14T12:55:00Z |
|
| 16 |
| value |
0.00082 |
| scoring_system |
epss |
| scoring_elements |
0.23714 |
| published_at |
2026-05-07T12:55:00Z |
|
| 17 |
| value |
0.00082 |
| scoring_system |
epss |
| scoring_elements |
0.23784 |
| published_at |
2026-05-09T12:55:00Z |
|
| 18 |
| value |
0.00082 |
| scoring_system |
epss |
| scoring_elements |
0.23729 |
| published_at |
2026-05-11T12:55:00Z |
|
| 19 |
| value |
0.00082 |
| scoring_system |
epss |
| scoring_elements |
0.23748 |
| published_at |
2026-05-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69223 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-69223, GHSA-6mq8-rvhq-8wgg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sjws-ddnq-fke2 |
|
| 21 |
| url |
VCID-t2aj-cszz-tyd7 |
| vulnerability_id |
VCID-t2aj-cszz-tyd7 |
| summary |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol. HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend. As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore this header and will parse Content-Length. The impact of this vulnerability is that it is possible to bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is present an Open Redirect an attacker could combine it to redirect random users to another website and log the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-47641 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00319 |
| scoring_system |
epss |
| scoring_elements |
0.54953 |
| published_at |
2026-04-09T12:55:00Z |
|
| 1 |
| value |
0.00319 |
| scoring_system |
epss |
| scoring_elements |
0.54919 |
| published_at |
2026-04-24T12:55:00Z |
|
| 2 |
| value |
0.00319 |
| scoring_system |
epss |
| scoring_elements |
0.54943 |
| published_at |
2026-04-21T12:55:00Z |
|
| 3 |
| value |
0.00319 |
| scoring_system |
epss |
| scoring_elements |
0.54961 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00319 |
| scoring_system |
epss |
| scoring_elements |
0.54924 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00319 |
| scoring_system |
epss |
| scoring_elements |
0.54947 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00319 |
| scoring_system |
epss |
| scoring_elements |
0.54908 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.00319 |
| scoring_system |
epss |
| scoring_elements |
0.54965 |
| published_at |
2026-04-18T12:55:00Z |
|
| 8 |
| value |
0.00319 |
| scoring_system |
epss |
| scoring_elements |
0.54934 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00319 |
| scoring_system |
epss |
| scoring_elements |
0.54904 |
| published_at |
2026-04-07T12:55:00Z |
|
| 10 |
| value |
0.00319 |
| scoring_system |
epss |
| scoring_elements |
0.54954 |
| published_at |
2026-04-08T12:55:00Z |
|
| 11 |
| value |
0.00358 |
| scoring_system |
epss |
| scoring_elements |
0.58083 |
| published_at |
2026-05-14T12:55:00Z |
|
| 12 |
| value |
0.00358 |
| scoring_system |
epss |
| scoring_elements |
0.5793 |
| published_at |
2026-05-05T12:55:00Z |
|
| 13 |
| value |
0.00358 |
| scoring_system |
epss |
| scoring_elements |
0.58034 |
| published_at |
2026-05-09T12:55:00Z |
|
| 14 |
| value |
0.00358 |
| scoring_system |
epss |
| scoring_elements |
0.57984 |
| published_at |
2026-05-11T12:55:00Z |
|
| 15 |
| value |
0.00358 |
| scoring_system |
epss |
| scoring_elements |
0.58013 |
| published_at |
2026-05-12T12:55:00Z |
|
| 16 |
| value |
0.00358 |
| scoring_system |
epss |
| scoring_elements |
0.57972 |
| published_at |
2026-05-07T12:55:00Z |
|
| 17 |
| value |
0.00358 |
| scoring_system |
epss |
| scoring_elements |
0.57989 |
| published_at |
2026-04-26T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-47641 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/aio-libs/aiohttp |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/aio-libs/aiohttp |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/aiohttp@3.8.0 |
| purl |
pkg:pypi/aiohttp@3.8.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-19q4-vzzb-8uca |
|
| 1 |
| vulnerability |
VCID-5f1f-mrwv-zucz |
|
| 2 |
| vulnerability |
VCID-bcuu-jvzt-6fhn |
|
| 3 |
| vulnerability |
VCID-bhkk-2b7c-wfgr |
|
| 4 |
| vulnerability |
VCID-cg9h-fysf-xygf |
|
| 5 |
| vulnerability |
VCID-d3pa-kwgz-vuag |
|
| 6 |
| vulnerability |
VCID-dr2r-7qda-tfh5 |
|
| 7 |
| vulnerability |
VCID-drqp-x9gc-2qd3 |
|
| 8 |
| vulnerability |
VCID-ft9z-nd6x-27dz |
|
| 9 |
| vulnerability |
VCID-g4rj-1kzy-pkft |
|
| 10 |
| vulnerability |
VCID-hyh4-58xy-xfge |
|
| 11 |
| vulnerability |
VCID-jxqg-x9dh-z3hb |
|
| 12 |
| vulnerability |
VCID-k122-7d38-2ug5 |
|
| 13 |
| vulnerability |
VCID-kf4p-q9n9-ayhn |
|
| 14 |
| vulnerability |
VCID-peyu-fxyx-ayde |
|
| 15 |
| vulnerability |
VCID-pmr9-w1fc-93cm |
|
| 16 |
| vulnerability |
VCID-pqus-ew4j-k7da |
|
| 17 |
| vulnerability |
VCID-qrus-4szm-c3bj |
|
| 18 |
| vulnerability |
VCID-qt9z-6kwe-wbht |
|
| 19 |
| vulnerability |
VCID-sjws-ddnq-fke2 |
|
| 20 |
| vulnerability |
VCID-t9gx-etxx-vkgb |
|
| 21 |
| vulnerability |
VCID-tmjw-8cdt-7yf7 |
|
| 22 |
| vulnerability |
VCID-tn28-662n-vug8 |
|
| 23 |
| vulnerability |
VCID-ttq3-65ny-skdg |
|
| 24 |
| vulnerability |
VCID-ue33-na1g-rqa7 |
|
| 25 |
| vulnerability |
VCID-vqvz-jfqh-jkaz |
|
| 26 |
| vulnerability |
VCID-zf8d-kxf1-sqds |
|
| 27 |
| vulnerability |
VCID-zm3a-mf2z-xfcm |
|
| 28 |
| vulnerability |
VCID-zrgm-47ph-x3g3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.8.0 |
|
|
| aliases |
CVE-2023-47641, GHSA-xx9p-xxvh-7g8j, PYSEC-2023-247
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t2aj-cszz-tyd7 |
|
| 22 |
| url |
VCID-t9gx-etxx-vkgb |
| vulnerability_id |
VCID-t9gx-etxx-vkgb |
| summary |
AIOHTTP vulnerable to DoS when bypassing asserts
### Summary
When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.
### Impact
If optimisations are enabled (`-O` or `PYTHONOPTIMIZE=1`), and the application includes a handler that uses the `Request.post()` method, then an attacker may be able to execute a DoS attack with a specially crafted message.
------
Patch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259 |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69227 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.1932 |
| published_at |
2026-05-05T12:55:00Z |
|
| 1 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.1943 |
| published_at |
2026-04-29T12:55:00Z |
|
| 2 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19467 |
| published_at |
2026-04-26T12:55:00Z |
|
| 3 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19479 |
| published_at |
2026-04-24T12:55:00Z |
|
| 4 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19584 |
| published_at |
2026-04-21T12:55:00Z |
|
| 5 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19572 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19565 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19587 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19646 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19695 |
| published_at |
2026-04-11T12:55:00Z |
|
| 10 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19782 |
| published_at |
2026-04-02T12:55:00Z |
|
| 11 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19689 |
| published_at |
2026-04-09T12:55:00Z |
|
| 12 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19637 |
| published_at |
2026-04-08T12:55:00Z |
|
| 13 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19557 |
| published_at |
2026-04-07T12:55:00Z |
|
| 14 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19835 |
| published_at |
2026-04-04T12:55:00Z |
|
| 15 |
| value |
0.00082 |
| scoring_system |
epss |
| scoring_elements |
0.23842 |
| published_at |
2026-05-14T12:55:00Z |
|
| 16 |
| value |
0.00082 |
| scoring_system |
epss |
| scoring_elements |
0.23714 |
| published_at |
2026-05-07T12:55:00Z |
|
| 17 |
| value |
0.00082 |
| scoring_system |
epss |
| scoring_elements |
0.23784 |
| published_at |
2026-05-09T12:55:00Z |
|
| 18 |
| value |
0.00082 |
| scoring_system |
epss |
| scoring_elements |
0.23729 |
| published_at |
2026-05-11T12:55:00Z |
|
| 19 |
| value |
0.00082 |
| scoring_system |
epss |
| scoring_elements |
0.23748 |
| published_at |
2026-05-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69227 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-69227, GHSA-jj3x-wxrx-4x23
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t9gx-etxx-vkgb |
|
| 23 |
| url |
VCID-tmjw-8cdt-7yf7 |
| vulnerability_id |
VCID-tmjw-8cdt-7yf7 |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34520 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.13027 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13732 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00055 |
| scoring_system |
epss |
| scoring_elements |
0.17488 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00055 |
| scoring_system |
epss |
| scoring_elements |
0.17329 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00055 |
| scoring_system |
epss |
| scoring_elements |
0.17387 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00055 |
| scoring_system |
epss |
| scoring_elements |
0.17325 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00055 |
| scoring_system |
epss |
| scoring_elements |
0.17416 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00055 |
| scoring_system |
epss |
| scoring_elements |
0.17476 |
| published_at |
2026-04-09T12:55:00Z |
|
| 8 |
| value |
0.00055 |
| scoring_system |
epss |
| scoring_elements |
0.17441 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17912 |
| published_at |
2026-04-18T12:55:00Z |
|
| 10 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17836 |
| published_at |
2026-04-26T12:55:00Z |
|
| 11 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17858 |
| published_at |
2026-04-24T12:55:00Z |
|
| 12 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17799 |
| published_at |
2026-04-29T12:55:00Z |
|
| 13 |
| value |
0.00057 |
| scoring_system |
epss |
| scoring_elements |
0.17948 |
| published_at |
2026-04-21T12:55:00Z |
|
| 14 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19304 |
| published_at |
2026-05-11T12:55:00Z |
|
| 15 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19438 |
| published_at |
2026-05-14T12:55:00Z |
|
| 16 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.1917 |
| published_at |
2026-05-05T12:55:00Z |
|
| 17 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19252 |
| published_at |
2026-05-07T12:55:00Z |
|
| 18 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.1934 |
| published_at |
2026-05-12T12:55:00Z |
|
| 19 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19342 |
| published_at |
2026-05-09T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34520 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/aio-libs/aiohttp |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
|
| 1 |
| value |
2.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/aio-libs/aiohttp |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-34520, GHSA-63hf-3vf5-4wqf
|
| risk_score |
4.1 |
| exploitability |
0.5 |
| weighted_severity |
8.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tmjw-8cdt-7yf7 |
|
| 24 |
| url |
VCID-tn28-662n-vug8 |
| vulnerability_id |
VCID-tn28-662n-vug8 |
| summary |
aiohttp Cross-site Scripting vulnerability on index pages for static file handling
### Summary
A XSS vulnerability exists on index pages for static file handling.
### Details
When using `web.static(..., show_index=True)`, the resulting index pages do not escape file names.
If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.
### Workaround
We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.
Other users can disable `show_index` if unable to upgrade.
-----
Patch: https://github.com/aio-libs/aiohttp/pull/8319/files |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-27306 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00593 |
| scoring_system |
epss |
| scoring_elements |
0.69288 |
| published_at |
2026-04-21T12:55:00Z |
|
| 1 |
| value |
0.00593 |
| scoring_system |
epss |
| scoring_elements |
0.6934 |
| published_at |
2026-04-24T12:55:00Z |
|
| 2 |
| value |
0.0069 |
| scoring_system |
epss |
| scoring_elements |
0.7187 |
| published_at |
2026-05-11T12:55:00Z |
|
| 3 |
| value |
0.0069 |
| scoring_system |
epss |
| scoring_elements |
0.71906 |
| published_at |
2026-05-09T12:55:00Z |
|
| 4 |
| value |
0.0069 |
| scoring_system |
epss |
| scoring_elements |
0.71957 |
| published_at |
2026-05-14T12:55:00Z |
|
| 5 |
| value |
0.0069 |
| scoring_system |
epss |
| scoring_elements |
0.71899 |
| published_at |
2026-05-12T12:55:00Z |
|
| 6 |
| value |
0.00709 |
| scoring_system |
epss |
| scoring_elements |
0.72284 |
| published_at |
2026-04-29T12:55:00Z |
|
| 7 |
| value |
0.00709 |
| scoring_system |
epss |
| scoring_elements |
0.72288 |
| published_at |
2026-04-26T12:55:00Z |
|
| 8 |
| value |
0.00709 |
| scoring_system |
epss |
| scoring_elements |
0.72302 |
| published_at |
2026-05-07T12:55:00Z |
|
| 9 |
| value |
0.00709 |
| scoring_system |
epss |
| scoring_elements |
0.72274 |
| published_at |
2026-05-05T12:55:00Z |
|
| 10 |
| value |
0.00749 |
| scoring_system |
epss |
| scoring_elements |
0.73167 |
| published_at |
2026-04-18T12:55:00Z |
|
| 11 |
| value |
0.00749 |
| scoring_system |
epss |
| scoring_elements |
0.73158 |
| published_at |
2026-04-16T12:55:00Z |
|
| 12 |
| value |
0.00749 |
| scoring_system |
epss |
| scoring_elements |
0.73115 |
| published_at |
2026-04-13T12:55:00Z |
|
| 13 |
| value |
0.00749 |
| scoring_system |
epss |
| scoring_elements |
0.73121 |
| published_at |
2026-04-12T12:55:00Z |
|
| 14 |
| value |
0.00749 |
| scoring_system |
epss |
| scoring_elements |
0.73141 |
| published_at |
2026-04-11T12:55:00Z |
|
| 15 |
| value |
0.00749 |
| scoring_system |
epss |
| scoring_elements |
0.73117 |
| published_at |
2026-04-09T12:55:00Z |
|
| 16 |
| value |
0.00749 |
| scoring_system |
epss |
| scoring_elements |
0.73103 |
| published_at |
2026-04-08T12:55:00Z |
|
| 17 |
| value |
0.00749 |
| scoring_system |
epss |
| scoring_elements |
0.73066 |
| published_at |
2026-04-07T12:55:00Z |
|
| 18 |
| value |
0.00749 |
| scoring_system |
epss |
| scoring_elements |
0.73092 |
| published_at |
2026-04-04T12:55:00Z |
|
| 19 |
| value |
0.00749 |
| scoring_system |
epss |
| scoring_elements |
0.73072 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-27306 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/aiohttp@3.9.4 |
| purl |
pkg:pypi/aiohttp@3.9.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-19q4-vzzb-8uca |
|
| 1 |
| vulnerability |
VCID-5f1f-mrwv-zucz |
|
| 2 |
| vulnerability |
VCID-cg9h-fysf-xygf |
|
| 3 |
| vulnerability |
VCID-d3pa-kwgz-vuag |
|
| 4 |
| vulnerability |
VCID-dr2r-7qda-tfh5 |
|
| 5 |
| vulnerability |
VCID-drqp-x9gc-2qd3 |
|
| 6 |
| vulnerability |
VCID-ft9z-nd6x-27dz |
|
| 7 |
| vulnerability |
VCID-g4rj-1kzy-pkft |
|
| 8 |
| vulnerability |
VCID-hyh4-58xy-xfge |
|
| 9 |
| vulnerability |
VCID-k122-7d38-2ug5 |
|
| 10 |
| vulnerability |
VCID-kf4p-q9n9-ayhn |
|
| 11 |
| vulnerability |
VCID-peyu-fxyx-ayde |
|
| 12 |
| vulnerability |
VCID-qrus-4szm-c3bj |
|
| 13 |
| vulnerability |
VCID-qt9z-6kwe-wbht |
|
| 14 |
| vulnerability |
VCID-sjws-ddnq-fke2 |
|
| 15 |
| vulnerability |
VCID-t9gx-etxx-vkgb |
|
| 16 |
| vulnerability |
VCID-tmjw-8cdt-7yf7 |
|
| 17 |
| vulnerability |
VCID-vqvz-jfqh-jkaz |
|
| 18 |
| vulnerability |
VCID-zm3a-mf2z-xfcm |
|
| 19 |
| vulnerability |
VCID-zrgm-47ph-x3g3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.4 |
|
|
| aliases |
CVE-2024-27306, GHSA-7gpw-8wmc-pm8g
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tn28-662n-vug8 |
|
| 25 |
| url |
VCID-ttq3-65ny-skdg |
| vulnerability_id |
VCID-ttq3-65ny-skdg |
| summary |
aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
### Impact
aiohttp v3.8.4 and earlier are [bundled with llhttp v6.0.6](https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules) which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.
This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`).
### Reproducer
```python
from aiohttp import web
async def example(request: web.Request):
headers = dict(request.headers)
body = await request.content.read()
return web.Response(text=f"headers: {headers} body: {body}")
app = web.Application()
app.add_routes([web.post('/', example)])
web.run_app(app)
```
Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.
```console
$ printf "POST / HTTP/1.1\r\nHost: localhost:8080\r\nX-Abc: \rxTransfer-Encoding: chunked\r\n\r\n1\r\nA\r\n0\r\n\r\n" \
| nc localhost 8080
Expected output:
headers: {'Host': 'localhost:8080', 'X-Abc': '\rxTransfer-Encoding: chunked'} body: b''
Actual output (note that 'Transfer-Encoding: chunked' is an HTTP header now and body is treated differently)
headers: {'Host': 'localhost:8080', 'X-Abc': '', 'Transfer-Encoding': 'chunked'} body: b'A'
```
### Patches
Upgrade to the latest version of aiohttp to resolve this vulnerability. It has been fixed in v3.8.5: [`pip install aiohttp >= 3.8.5`](https://pypi.org/project/aiohttp/3.8.5/)
### Workarounds
If you aren't able to upgrade you can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable to request smuggling:
```console
$ python -m pip uninstall --yes aiohttp
$ AIOHTTP_NO_EXTENSIONS=1 python -m pip install --no-binary=aiohttp --no-cache aiohttp
```
### References
* https://nvd.nist.gov/vuln/detail/CVE-2023-30589
* https://hackerone.com/reports/2001873 |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-37276 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90497 |
| published_at |
2026-04-21T12:55:00Z |
|
| 1 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.9048 |
| published_at |
2026-04-09T12:55:00Z |
|
| 2 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90474 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90462 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90456 |
| published_at |
2026-04-04T12:55:00Z |
|
| 5 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90444 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90566 |
| published_at |
2026-05-14T12:55:00Z |
|
| 7 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90552 |
| published_at |
2026-05-12T12:55:00Z |
|
| 8 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90543 |
| published_at |
2026-05-11T12:55:00Z |
|
| 9 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90545 |
| published_at |
2026-05-09T12:55:00Z |
|
| 10 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90534 |
| published_at |
2026-05-07T12:55:00Z |
|
| 11 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90516 |
| published_at |
2026-05-05T12:55:00Z |
|
| 12 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90506 |
| published_at |
2026-04-29T12:55:00Z |
|
| 13 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90509 |
| published_at |
2026-04-26T12:55:00Z |
|
| 14 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90498 |
| published_at |
2026-04-18T12:55:00Z |
|
| 15 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90481 |
| published_at |
2026-04-13T12:55:00Z |
|
| 16 |
| value |
0.05775 |
| scoring_system |
epss |
| scoring_elements |
0.90487 |
| published_at |
2026-04-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-37276 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/aio-libs/aiohttp |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/aio-libs/aiohttp |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
| reference_url |
https://hackerone.com/reports/2001873 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-18T16:05:51Z/ |
|
|
| url |
https://hackerone.com/reports/2001873 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/aiohttp@3.8.5 |
| purl |
pkg:pypi/aiohttp@3.8.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-19q4-vzzb-8uca |
|
| 1 |
| vulnerability |
VCID-5f1f-mrwv-zucz |
|
| 2 |
| vulnerability |
VCID-bcuu-jvzt-6fhn |
|
| 3 |
| vulnerability |
VCID-bhkk-2b7c-wfgr |
|
| 4 |
| vulnerability |
VCID-cg9h-fysf-xygf |
|
| 5 |
| vulnerability |
VCID-d3pa-kwgz-vuag |
|
| 6 |
| vulnerability |
VCID-dr2r-7qda-tfh5 |
|
| 7 |
| vulnerability |
VCID-drqp-x9gc-2qd3 |
|
| 8 |
| vulnerability |
VCID-ft9z-nd6x-27dz |
|
| 9 |
| vulnerability |
VCID-g4rj-1kzy-pkft |
|
| 10 |
| vulnerability |
VCID-hyh4-58xy-xfge |
|
| 11 |
| vulnerability |
VCID-jxqg-x9dh-z3hb |
|
| 12 |
| vulnerability |
VCID-k122-7d38-2ug5 |
|
| 13 |
| vulnerability |
VCID-kf4p-q9n9-ayhn |
|
| 14 |
| vulnerability |
VCID-peyu-fxyx-ayde |
|
| 15 |
| vulnerability |
VCID-pmr9-w1fc-93cm |
|
| 16 |
| vulnerability |
VCID-pqus-ew4j-k7da |
|
| 17 |
| vulnerability |
VCID-qrus-4szm-c3bj |
|
| 18 |
| vulnerability |
VCID-qt9z-6kwe-wbht |
|
| 19 |
| vulnerability |
VCID-sjws-ddnq-fke2 |
|
| 20 |
| vulnerability |
VCID-t9gx-etxx-vkgb |
|
| 21 |
| vulnerability |
VCID-tmjw-8cdt-7yf7 |
|
| 22 |
| vulnerability |
VCID-tn28-662n-vug8 |
|
| 23 |
| vulnerability |
VCID-ue33-na1g-rqa7 |
|
| 24 |
| vulnerability |
VCID-vqvz-jfqh-jkaz |
|
| 25 |
| vulnerability |
VCID-zf8d-kxf1-sqds |
|
| 26 |
| vulnerability |
VCID-zm3a-mf2z-xfcm |
|
| 27 |
| vulnerability |
VCID-zrgm-47ph-x3g3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.8.5 |
|
| 1 |
|
|
| aliases |
CVE-2023-37276, GHSA-45c4-8wx5-qw6w, PYSEC-2023-120
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ttq3-65ny-skdg |
|
| 26 |
| url |
VCID-ue33-na1g-rqa7 |
| vulnerability_id |
VCID-ue33-na1g-rqa7 |
| summary |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-49082 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44791 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44481 |
| published_at |
2026-05-05T12:55:00Z |
|
| 2 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44596 |
| published_at |
2026-04-29T12:55:00Z |
|
| 3 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44675 |
| published_at |
2026-04-26T12:55:00Z |
|
| 4 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44668 |
| published_at |
2026-04-24T12:55:00Z |
|
| 5 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44749 |
| published_at |
2026-04-21T12:55:00Z |
|
| 6 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.4482 |
| published_at |
2026-04-18T12:55:00Z |
|
| 7 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44826 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44773 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44772 |
| published_at |
2026-04-12T12:55:00Z |
|
| 10 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44802 |
| published_at |
2026-04-11T12:55:00Z |
|
| 11 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44786 |
| published_at |
2026-04-09T12:55:00Z |
|
| 12 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44783 |
| published_at |
2026-04-08T12:55:00Z |
|
| 13 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.4473 |
| published_at |
2026-04-07T12:55:00Z |
|
| 14 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.4477 |
| published_at |
2026-04-02T12:55:00Z |
|
| 15 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44603 |
| published_at |
2026-05-14T12:55:00Z |
|
| 16 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44532 |
| published_at |
2026-05-12T12:55:00Z |
|
| 17 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44503 |
| published_at |
2026-05-11T12:55:00Z |
|
| 18 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44566 |
| published_at |
2026-05-09T12:55:00Z |
|
| 19 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44551 |
| published_at |
2026-05-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-49082 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/aio-libs/aiohttp |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/aio-libs/aiohttp |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/aiohttp@3.9.0 |
| purl |
pkg:pypi/aiohttp@3.9.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-19q4-vzzb-8uca |
|
| 1 |
| vulnerability |
VCID-5f1f-mrwv-zucz |
|
| 2 |
| vulnerability |
VCID-bhkk-2b7c-wfgr |
|
| 3 |
| vulnerability |
VCID-cg9h-fysf-xygf |
|
| 4 |
| vulnerability |
VCID-d3pa-kwgz-vuag |
|
| 5 |
| vulnerability |
VCID-dr2r-7qda-tfh5 |
|
| 6 |
| vulnerability |
VCID-drqp-x9gc-2qd3 |
|
| 7 |
| vulnerability |
VCID-ft9z-nd6x-27dz |
|
| 8 |
| vulnerability |
VCID-g4rj-1kzy-pkft |
|
| 9 |
| vulnerability |
VCID-hyh4-58xy-xfge |
|
| 10 |
| vulnerability |
VCID-jxqg-x9dh-z3hb |
|
| 11 |
| vulnerability |
VCID-k122-7d38-2ug5 |
|
| 12 |
| vulnerability |
VCID-kf4p-q9n9-ayhn |
|
| 13 |
| vulnerability |
VCID-peyu-fxyx-ayde |
|
| 14 |
| vulnerability |
VCID-pqus-ew4j-k7da |
|
| 15 |
| vulnerability |
VCID-qrus-4szm-c3bj |
|
| 16 |
| vulnerability |
VCID-qt9z-6kwe-wbht |
|
| 17 |
| vulnerability |
VCID-sjws-ddnq-fke2 |
|
| 18 |
| vulnerability |
VCID-t9gx-etxx-vkgb |
|
| 19 |
| vulnerability |
VCID-tmjw-8cdt-7yf7 |
|
| 20 |
| vulnerability |
VCID-tn28-662n-vug8 |
|
| 21 |
| vulnerability |
VCID-vqvz-jfqh-jkaz |
|
| 22 |
| vulnerability |
VCID-zm3a-mf2z-xfcm |
|
| 23 |
| vulnerability |
VCID-zrgm-47ph-x3g3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.9.0 |
|
|
| aliases |
CVE-2023-49082, GHSA-qvrw-v9rv-5rjx, PYSEC-2023-251
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ue33-na1g-rqa7 |
|
| 27 |
| url |
VCID-vqvz-jfqh-jkaz |
| vulnerability_id |
VCID-vqvz-jfqh-jkaz |
| summary |
AIOHTTP vulnerable to brute-force leak of internal static file path components
### Summary
Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the
existence of absolute path components.
### Impact
If an application uses `web.static()` (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components.
------
Patch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69226 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19458 |
| published_at |
2026-05-05T12:55:00Z |
|
| 1 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19575 |
| published_at |
2026-04-29T12:55:00Z |
|
| 2 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19611 |
| published_at |
2026-04-26T12:55:00Z |
|
| 3 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19625 |
| published_at |
2026-04-24T12:55:00Z |
|
| 4 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.1973 |
| published_at |
2026-04-21T12:55:00Z |
|
| 5 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19718 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19716 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19741 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19798 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19843 |
| published_at |
2026-04-11T12:55:00Z |
|
| 10 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19927 |
| published_at |
2026-04-02T12:55:00Z |
|
| 11 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.1984 |
| published_at |
2026-04-09T12:55:00Z |
|
| 12 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19788 |
| published_at |
2026-04-08T12:55:00Z |
|
| 13 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19982 |
| published_at |
2026-04-04T12:55:00Z |
|
| 14 |
| value |
0.00063 |
| scoring_system |
epss |
| scoring_elements |
0.19708 |
| published_at |
2026-04-07T12:55:00Z |
|
| 15 |
| value |
0.0007 |
| scoring_system |
epss |
| scoring_elements |
0.21413 |
| published_at |
2026-05-14T12:55:00Z |
|
| 16 |
| value |
0.0007 |
| scoring_system |
epss |
| scoring_elements |
0.2125 |
| published_at |
2026-05-07T12:55:00Z |
|
| 17 |
| value |
0.0007 |
| scoring_system |
epss |
| scoring_elements |
0.21339 |
| published_at |
2026-05-09T12:55:00Z |
|
| 18 |
| value |
0.0007 |
| scoring_system |
epss |
| scoring_elements |
0.21315 |
| published_at |
2026-05-11T12:55:00Z |
|
| 19 |
| value |
0.0007 |
| scoring_system |
epss |
| scoring_elements |
0.21336 |
| published_at |
2026-05-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69226 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-69226, GHSA-54jq-c3m8-4m76
|
| risk_score |
2.9 |
| exploitability |
0.5 |
| weighted_severity |
5.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vqvz-jfqh-jkaz |
|
| 28 |
| url |
VCID-wrsz-1761-ybeq |
| vulnerability_id |
VCID-wrsz-1761-ybeq |
| summary |
aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie). |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2018-1000519 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44139 |
| published_at |
2026-05-14T12:55:00Z |
|
| 1 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.4425 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44321 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44343 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44279 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44331 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44336 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44354 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44322 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.4432 |
| published_at |
2026-04-13T12:55:00Z |
|
| 10 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44377 |
| published_at |
2026-04-16T12:55:00Z |
|
| 11 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44368 |
| published_at |
2026-04-18T12:55:00Z |
|
| 12 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44297 |
| published_at |
2026-04-21T12:55:00Z |
|
| 13 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44212 |
| published_at |
2026-04-24T12:55:00Z |
|
| 14 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44215 |
| published_at |
2026-04-26T12:55:00Z |
|
| 15 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44133 |
| published_at |
2026-04-29T12:55:00Z |
|
| 16 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44012 |
| published_at |
2026-05-05T12:55:00Z |
|
| 17 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44089 |
| published_at |
2026-05-07T12:55:00Z |
|
| 18 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44106 |
| published_at |
2026-05-09T12:55:00Z |
|
| 19 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44043 |
| published_at |
2026-05-11T12:55:00Z |
|
| 20 |
| value |
0.00217 |
| scoring_system |
epss |
| scoring_elements |
0.44073 |
| published_at |
2026-05-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2018-1000519 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://nvd.nist.gov/vuln/detail/CVE-2018-1000519 |
| reference_id |
CVE-2018-1000519 |
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv2 |
| scoring_elements |
AV:N/AC:M/Au:N/C:N/I:P/A:N |
|
| 1 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
|
| 2 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
|
| 3 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://nvd.nist.gov/vuln/detail/CVE-2018-1000519 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:pypi/aiohttp@3.0.0b0 |
| purl |
pkg:pypi/aiohttp@3.0.0b0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-19q4-vzzb-8uca |
|
| 1 |
| vulnerability |
VCID-5f1f-mrwv-zucz |
|
| 2 |
| vulnerability |
VCID-88cm-cxp9-ekgn |
|
| 3 |
| vulnerability |
VCID-bcuu-jvzt-6fhn |
|
| 4 |
| vulnerability |
VCID-bhkk-2b7c-wfgr |
|
| 5 |
| vulnerability |
VCID-cg9h-fysf-xygf |
|
| 6 |
| vulnerability |
VCID-d3pa-kwgz-vuag |
|
| 7 |
| vulnerability |
VCID-dr2r-7qda-tfh5 |
|
| 8 |
| vulnerability |
VCID-drqp-x9gc-2qd3 |
|
| 9 |
| vulnerability |
VCID-ft9z-nd6x-27dz |
|
| 10 |
| vulnerability |
VCID-g4rj-1kzy-pkft |
|
| 11 |
| vulnerability |
VCID-hyh4-58xy-xfge |
|
| 12 |
| vulnerability |
VCID-jxqg-x9dh-z3hb |
|
| 13 |
| vulnerability |
VCID-k122-7d38-2ug5 |
|
| 14 |
| vulnerability |
VCID-kf4p-q9n9-ayhn |
|
| 15 |
| vulnerability |
VCID-peyu-fxyx-ayde |
|
| 16 |
| vulnerability |
VCID-pmr9-w1fc-93cm |
|
| 17 |
| vulnerability |
VCID-pqus-ew4j-k7da |
|
| 18 |
| vulnerability |
VCID-qrus-4szm-c3bj |
|
| 19 |
| vulnerability |
VCID-qt9z-6kwe-wbht |
|
| 20 |
| vulnerability |
VCID-sjws-ddnq-fke2 |
|
| 21 |
| vulnerability |
VCID-t2aj-cszz-tyd7 |
|
| 22 |
| vulnerability |
VCID-t9gx-etxx-vkgb |
|
| 23 |
| vulnerability |
VCID-tmjw-8cdt-7yf7 |
|
| 24 |
| vulnerability |
VCID-tn28-662n-vug8 |
|
| 25 |
| vulnerability |
VCID-ttq3-65ny-skdg |
|
| 26 |
| vulnerability |
VCID-ue33-na1g-rqa7 |
|
| 27 |
| vulnerability |
VCID-vqvz-jfqh-jkaz |
|
| 28 |
| vulnerability |
VCID-zf8d-kxf1-sqds |
|
| 29 |
| vulnerability |
VCID-zm3a-mf2z-xfcm |
|
| 30 |
| vulnerability |
VCID-zrgm-47ph-x3g3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.0.0b0 |
|
|
| aliases |
CVE-2018-1000519, GHSA-fpwp-69xv-c67f, PYSEC-2018-80
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wrsz-1761-ybeq |
|
| 29 |
| url |
VCID-zf8d-kxf1-sqds |
| vulnerability_id |
VCID-zf8d-kxf1-sqds |
| summary |
aiohttp has vulnerable dependency that is vulnerable to request smuggling
### Summary
llhttp 8.1.1 is vulnerable to two request smuggling vulnerabilities.
Details have not been disclosed yet, so refer to llhttp for future information.
The issue is resolved by using llhttp 9+ (which is included in aiohttp 3.8.6+). |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/aiohttp@3.8.6 |
| purl |
pkg:pypi/aiohttp@3.8.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-19q4-vzzb-8uca |
|
| 1 |
| vulnerability |
VCID-5f1f-mrwv-zucz |
|
| 2 |
| vulnerability |
VCID-bcuu-jvzt-6fhn |
|
| 3 |
| vulnerability |
VCID-bhkk-2b7c-wfgr |
|
| 4 |
| vulnerability |
VCID-cg9h-fysf-xygf |
|
| 5 |
| vulnerability |
VCID-d3pa-kwgz-vuag |
|
| 6 |
| vulnerability |
VCID-dr2r-7qda-tfh5 |
|
| 7 |
| vulnerability |
VCID-drqp-x9gc-2qd3 |
|
| 8 |
| vulnerability |
VCID-ft9z-nd6x-27dz |
|
| 9 |
| vulnerability |
VCID-g4rj-1kzy-pkft |
|
| 10 |
| vulnerability |
VCID-hyh4-58xy-xfge |
|
| 11 |
| vulnerability |
VCID-jxqg-x9dh-z3hb |
|
| 12 |
| vulnerability |
VCID-k122-7d38-2ug5 |
|
| 13 |
| vulnerability |
VCID-kf4p-q9n9-ayhn |
|
| 14 |
| vulnerability |
VCID-peyu-fxyx-ayde |
|
| 15 |
| vulnerability |
VCID-pqus-ew4j-k7da |
|
| 16 |
| vulnerability |
VCID-qrus-4szm-c3bj |
|
| 17 |
| vulnerability |
VCID-qt9z-6kwe-wbht |
|
| 18 |
| vulnerability |
VCID-sjws-ddnq-fke2 |
|
| 19 |
| vulnerability |
VCID-t9gx-etxx-vkgb |
|
| 20 |
| vulnerability |
VCID-tmjw-8cdt-7yf7 |
|
| 21 |
| vulnerability |
VCID-tn28-662n-vug8 |
|
| 22 |
| vulnerability |
VCID-ue33-na1g-rqa7 |
|
| 23 |
| vulnerability |
VCID-vqvz-jfqh-jkaz |
|
| 24 |
| vulnerability |
VCID-zm3a-mf2z-xfcm |
|
| 25 |
| vulnerability |
VCID-zrgm-47ph-x3g3 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.8.6 |
|
|
| aliases |
GHSA-pjjw-qhg8-p2p9, GMS-2023-5095
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zf8d-kxf1-sqds |
|
| 30 |
| url |
VCID-zm3a-mf2z-xfcm |
| vulnerability_id |
VCID-zm3a-mf2z-xfcm |
| summary |
AIOHTTP Vulnerable to Cookie Parser Warning Storm
### Summary
Reading multiple invalid cookies can lead to a logging storm.
### Impact
If the ``cookies`` attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header.
----
Patch: https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326 |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69230 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02649 |
| published_at |
2026-05-05T12:55:00Z |
|
| 1 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02675 |
| published_at |
2026-04-29T12:55:00Z |
|
| 2 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02618 |
| published_at |
2026-04-26T12:55:00Z |
|
| 3 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02629 |
| published_at |
2026-04-24T12:55:00Z |
|
| 4 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02641 |
| published_at |
2026-04-21T12:55:00Z |
|
| 5 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02533 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02528 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02541 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02554 |
| published_at |
2026-04-11T12:55:00Z |
|
| 9 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02572 |
| published_at |
2026-04-09T12:55:00Z |
|
| 10 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02529 |
| published_at |
2026-04-02T12:55:00Z |
|
| 11 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02551 |
| published_at |
2026-04-08T12:55:00Z |
|
| 12 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02543 |
| published_at |
2026-04-12T12:55:00Z |
|
| 13 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02546 |
| published_at |
2026-04-07T12:55:00Z |
|
| 14 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03494 |
| published_at |
2026-05-14T12:55:00Z |
|
| 15 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03409 |
| published_at |
2026-05-07T12:55:00Z |
|
| 16 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03447 |
| published_at |
2026-05-09T12:55:00Z |
|
| 17 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03451 |
| published_at |
2026-05-11T12:55:00Z |
|
| 18 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03458 |
| published_at |
2026-05-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-69230 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-69230, GHSA-fh55-r93g-j68g
|
| risk_score |
2.5 |
| exploitability |
0.5 |
| weighted_severity |
4.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zm3a-mf2z-xfcm |
|
| 31 |
| url |
VCID-zrgm-47ph-x3g3 |
| vulnerability_id |
VCID-zrgm-47ph-x3g3 |
| summary |
aiohttp allows request smuggling due to incorrect parsing of chunk extensions
### Summary
The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.
### Impact
If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.
-----
Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71 |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-52304 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0042 |
| scoring_system |
epss |
| scoring_elements |
0.62059 |
| published_at |
2026-05-14T12:55:00Z |
|
| 1 |
| value |
0.0042 |
| scoring_system |
epss |
| scoring_elements |
0.62006 |
| published_at |
2026-05-12T12:55:00Z |
|
| 2 |
| value |
0.0042 |
| scoring_system |
epss |
| scoring_elements |
0.61978 |
| published_at |
2026-05-11T12:55:00Z |
|
| 3 |
| value |
0.0042 |
| scoring_system |
epss |
| scoring_elements |
0.62024 |
| published_at |
2026-05-09T12:55:00Z |
|
| 4 |
| value |
0.00456 |
| scoring_system |
epss |
| scoring_elements |
0.63892 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00456 |
| scoring_system |
epss |
| scoring_elements |
0.63954 |
| published_at |
2026-05-07T12:55:00Z |
|
| 6 |
| value |
0.00456 |
| scoring_system |
epss |
| scoring_elements |
0.63936 |
| published_at |
2026-04-29T12:55:00Z |
|
| 7 |
| value |
0.00456 |
| scoring_system |
epss |
| scoring_elements |
0.63939 |
| published_at |
2026-04-26T12:55:00Z |
|
| 8 |
| value |
0.00456 |
| scoring_system |
epss |
| scoring_elements |
0.63927 |
| published_at |
2026-04-24T12:55:00Z |
|
| 9 |
| value |
0.00456 |
| scoring_system |
epss |
| scoring_elements |
0.63923 |
| published_at |
2026-04-11T12:55:00Z |
|
| 10 |
| value |
0.00456 |
| scoring_system |
epss |
| scoring_elements |
0.63842 |
| published_at |
2026-04-07T12:55:00Z |
|
| 11 |
| value |
0.00456 |
| scoring_system |
epss |
| scoring_elements |
0.6391 |
| published_at |
2026-04-09T12:55:00Z |
|
| 12 |
| value |
0.00456 |
| scoring_system |
epss |
| scoring_elements |
0.63921 |
| published_at |
2026-04-18T12:55:00Z |
|
| 13 |
| value |
0.00456 |
| scoring_system |
epss |
| scoring_elements |
0.63911 |
| published_at |
2026-04-21T12:55:00Z |
|
| 14 |
| value |
0.00456 |
| scoring_system |
epss |
| scoring_elements |
0.63876 |
| published_at |
2026-04-13T12:55:00Z |
|
| 15 |
| value |
0.00456 |
| scoring_system |
epss |
| scoring_elements |
0.63909 |
| published_at |
2026-05-05T12:55:00Z |
|
| 16 |
| value |
0.00456 |
| scoring_system |
epss |
| scoring_elements |
0.63858 |
| published_at |
2026-04-02T12:55:00Z |
|
| 17 |
| value |
0.00456 |
| scoring_system |
epss |
| scoring_elements |
0.63885 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-52304 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/aio-libs/aiohttp |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/aio-libs/aiohttp |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-19T15:38:44Z/ |
|
|
| url |
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8495-4g3g-x7pr |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:pypi/aiohttp@3.10.11 |
| purl |
pkg:pypi/aiohttp@3.10.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-19q4-vzzb-8uca |
|
| 1 |
| vulnerability |
VCID-5f1f-mrwv-zucz |
|
| 2 |
| vulnerability |
VCID-cg9h-fysf-xygf |
|
| 3 |
| vulnerability |
VCID-d3pa-kwgz-vuag |
|
| 4 |
| vulnerability |
VCID-dr2r-7qda-tfh5 |
|
| 5 |
| vulnerability |
VCID-drqp-x9gc-2qd3 |
|
| 6 |
| vulnerability |
VCID-ft9z-nd6x-27dz |
|
| 7 |
| vulnerability |
VCID-g4rj-1kzy-pkft |
|
| 8 |
| vulnerability |
VCID-hyh4-58xy-xfge |
|
| 9 |
| vulnerability |
VCID-k122-7d38-2ug5 |
|
| 10 |
| vulnerability |
VCID-kf4p-q9n9-ayhn |
|
| 11 |
| vulnerability |
VCID-peyu-fxyx-ayde |
|
| 12 |
| vulnerability |
VCID-qrus-4szm-c3bj |
|
| 13 |
| vulnerability |
VCID-qt9z-6kwe-wbht |
|
| 14 |
| vulnerability |
VCID-sjws-ddnq-fke2 |
|
| 15 |
| vulnerability |
VCID-t9gx-etxx-vkgb |
|
| 16 |
| vulnerability |
VCID-tmjw-8cdt-7yf7 |
|
| 17 |
| vulnerability |
VCID-vqvz-jfqh-jkaz |
|
| 18 |
| vulnerability |
VCID-zm3a-mf2z-xfcm |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:pypi/aiohttp@3.10.11 |
|
|
| aliases |
CVE-2024-52304, GHSA-8495-4g3g-x7pr
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zrgm-47ph-x3g3 |
|