CVE-2026-34993

NameCVE-2026-34993
DescriptionAIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1138781

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-aiohttp (PTS)bullseye3.7.4-1vulnerable
bullseye (security)3.7.4-1+deb11u2vulnerable
bookworm, bookworm (security)3.8.4-1+deb12u1vulnerable
trixie (security), trixie3.11.16-1+deb13u1vulnerable
forky, sid3.13.5-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-aiohttpsource(unstable)(unfixed)1138781

Notes

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jg22-mg44-37j8
https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00 (v3.14.0)
Search for package or bug name: Reporting problems