VulnerableCode Package Details - pkg:deb/debian/python-aiohttp@3.13.5-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-kc4y-3rrv-77h4 Aliases: CVE-2026-47265 GHSA-hg6j-4rv6-33pg	python-aiohttp: AIOHTTP: Information disclosure via improper handling of cookies during cross-origin redirects	3.14.0-1 Affected by 0 other vulnerabilities.
VCID-qs2p-udan-p3an Aliases: CVE-2026-34993 GHSA-jg22-mg44-37j8	AIOHTTP is Vulnerable to Deserialization of Untrusted Data ### Summary Using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. ### Impact Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. ### Workaround If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitise the files before loading. ----- Patch: https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00	3.14.0-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-kc4y-3rrv-77h4
Aliases:
CVE-2026-47265
GHSA-hg6j-4rv6-33pg

python-aiohttp: AIOHTTP: Information disclosure via improper handling of cookies during cross-origin redirects

3.14.0-1
Affected by 0 other vulnerabilities.

VCID-qs2p-udan-p3an
Aliases:
CVE-2026-34993
GHSA-jg22-mg44-37j8

AIOHTTP is Vulnerable to Deserialization of Untrusted Data ### Summary Using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. ### Impact Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. ### Workaround If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitise the files before loading. ----- Patch: https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00

3.14.0-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3v2v-g9dz-q7hu	aiohttp: AIOHTTP: Information disclosure via retained Cookie and Proxy-Authorization headers during redirects	CVE-2026-34518 GHSA-966j-vmvw-g2g9
VCID-7b59-eb63-tfcf	aiohttp: AIOHTTP: Header injection vulnerability due to improper character handling	CVE-2026-34520 GHSA-63hf-3vf5-4wqf
VCID-8mb3-gafx-8qaz	aiohttp: AIOHTTP: Header Injection via content_type parameter manipulation	CVE-2026-34514 GHSA-2vrm-gr82-f7m5
VCID-c1e6-tue3-8yce	aiohttp: AIOHTTP: Denial of Service via insufficient header/trailer handling	CVE-2026-22815 GHSA-w2fm-2cpv-w7v5
VCID-k3f4-wafv-3qgu	aiohttp: AIOHTTP: Denial of Service via large multipart form fields	CVE-2026-34517 GHSA-3wq7-rqq7-wx6j
VCID-k3nq-f446-bkas	aiohttp: aiohttp: Security bypass via multiple Host headers	CVE-2026-34525 GHSA-c427-h43c-vf67
VCID-m7wa-qdpv-wuhj	aiohttp: AIOHTTP: Denial of Service via excessive multipart headers	CVE-2026-34516 GHSA-m5qp-6w8w-w647
VCID-myz5-wsnu-u7a5	aiohttp: aiohttp: Header injection vulnerability via reason parameter	CVE-2026-34519 GHSA-mwh4-6h8g-pg8w
VCID-w4mr-q1jr-1qfp	aiohttp: AIOHTTP: Denial of Service due to unbounded DNS cache	CVE-2026-34513 GHSA-hcc4-c3v8-rx92
VCID-yr3u-3vzh-1yhq	AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.	CVE-2025-53643 GHSA-9548-qrrj-x5pj

Vulnerability

Summary

Aliases

VCID-3v2v-g9dz-q7hu

aiohttp: AIOHTTP: Information disclosure via retained Cookie and Proxy-Authorization headers during redirects

CVE-2026-34518
GHSA-966j-vmvw-g2g9

VCID-7b59-eb63-tfcf

aiohttp: AIOHTTP: Header injection vulnerability due to improper character handling

CVE-2026-34520
GHSA-63hf-3vf5-4wqf

VCID-8mb3-gafx-8qaz

aiohttp: AIOHTTP: Header Injection via content_type parameter manipulation

CVE-2026-34514
GHSA-2vrm-gr82-f7m5

VCID-c1e6-tue3-8yce

aiohttp: AIOHTTP: Denial of Service via insufficient header/trailer handling

CVE-2026-22815
GHSA-w2fm-2cpv-w7v5

VCID-k3f4-wafv-3qgu

aiohttp: AIOHTTP: Denial of Service via large multipart form fields

CVE-2026-34517
GHSA-3wq7-rqq7-wx6j

VCID-k3nq-f446-bkas

aiohttp: aiohttp: Security bypass via multiple Host headers

CVE-2026-34525
GHSA-c427-h43c-vf67

VCID-m7wa-qdpv-wuhj

aiohttp: AIOHTTP: Denial of Service via excessive multipart headers

CVE-2026-34516
GHSA-m5qp-6w8w-w647

VCID-myz5-wsnu-u7a5

aiohttp: aiohttp: Header injection vulnerability via reason parameter

CVE-2026-34519
GHSA-mwh4-6h8g-pg8w

VCID-w4mr-q1jr-1qfp

aiohttp: AIOHTTP: Denial of Service due to unbounded DNS cache

CVE-2026-34513
GHSA-hcc4-c3v8-rx92

VCID-yr3u-3vzh-1yhq

AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request.

CVE-2025-53643
GHSA-9548-qrrj-x5pj

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T20:29:17.380710+00:00	Debian Importer	Fixing	VCID-m7wa-qdpv-wuhj	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T20:05:33.703296+00:00	Debian Importer	Fixing	VCID-3v2v-g9dz-q7hu	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T19:22:50.799397+00:00	Debian Importer	Fixing	VCID-yr3u-3vzh-1yhq	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T19:10:31.760524+00:00	Debian Importer	Fixing	VCID-k3nq-f446-bkas	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T18:56:06.015493+00:00	Debian Importer	Fixing	VCID-k3f4-wafv-3qgu	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T18:56:02.213803+00:00	Debian Importer	Fixing	VCID-w4mr-q1jr-1qfp	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T18:51:03.818396+00:00	Debian Importer	Affected by	VCID-kc4y-3rrv-77h4	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T18:50:17.592335+00:00	Debian Importer	Fixing	VCID-7b59-eb63-tfcf	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-05T18:44:40.568816+00:00	Debian Importer	Affected by	VCID-qs2p-udan-p3an	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-04T19:58:29.157800+00:00	Debian Importer	Fixing	VCID-myz5-wsnu-u7a5	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-04T19:57:57.671479+00:00	Debian Importer	Fixing	VCID-c1e6-tue3-8yce	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-04T19:43:15.583082+00:00	Debian Importer	Fixing	VCID-8mb3-gafx-8qaz	https://security-tracker.debian.org/tracker/data/json	38.6.0