GHSA-mwh4-6h8g-pg8w

Suggest an improvement
Source
https://github.com/advisories/GHSA-mwh4-6h8g-pg8w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mwh4-6h8g-pg8w/GHSA-mwh4-6h8g-pg8w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mwh4-6h8g-pg8w
Aliases
  • CVE-2026-34519
Related
Published
2026-04-01T21:48:24Z
Modified
2026-04-02T20:14:23.055473668Z
Severity
  • 2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
AIOHTTP has HTTP response splitting via \r in reason phrase
Details

Summary

An attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits.

Impact

In the unlikely situation that an application allows untrusted data to be used in the response's reason parameter, then an attacker could manipulate the response to send something different from what the developer intended.

Patch: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T21:48:24Z",
    "severity": "LOW",
    "cwe_ids": [
        "CWE-113"
    ],
    "nvd_published_at": "2026-04-01T21:17:00Z"
}
References

Affected packages

PyPI / aiohttp

Package

Name
aiohttp
View open source insights on deps.dev
Purl
pkg:pypi/aiohttp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.13.4

Affected versions

0.*
0.1
0.2
0.3
0.4
0.4.1
0.4.2
0.4.3
0.4.4
0.5.0
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.7.0
0.7.1
0.7.2
0.7.3
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.10.2
0.11.0
0.12.0
0.13.0
0.13.1
0.14.0
0.14.1
0.14.2
0.14.3
0.14.4
0.15.0
0.15.1
0.15.2
0.15.3
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.16.5
0.16.6
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.18.0
0.18.1
0.18.2
0.18.3
0.18.4
0.19.0
0.20.0
0.20.1
0.20.2
0.21.0
0.21.1
0.21.2
0.21.4
0.21.5
0.21.6
0.22.0a0
0.22.0b0
0.22.0b1
0.22.0b2
0.22.0b3
0.22.0b4
0.22.0b5
0.22.0b6
0.22.0
0.22.1
0.22.2
0.22.3
0.22.4
0.22.5
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.5
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
2.*
2.0.0rc1
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.1.0
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.3.0a1
2.3.0a2
2.3.0a3
2.3.0a4
2.3.0
2.3.1a1
2.3.1
2.3.2b2
2.3.2b3
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
3.*
3.0.0b0
3.0.0b1
3.0.0b2
3.0.0b3
3.0.0b4
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0
3.1.1
3.1.2
3.1.3
3.2.0
3.2.1
3.3.0a0
3.3.0
3.3.1
3.3.2a0
3.3.2
3.4.0a0
3.4.0a3
3.4.0b1
3.4.0b2
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.5.0a1
3.5.0b1
3.5.0b2
3.5.0b3
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.6.0a0
3.6.0a1
3.6.0a2
3.6.0a3
3.6.0a4
3.6.0a5
3.6.0a6
3.6.0a7
3.6.0a8
3.6.0a9
3.6.0a11
3.6.0a12
3.6.0b0
3.6.0
3.6.1b3
3.6.1b4
3.6.1
3.6.2a0
3.6.2a1
3.6.2a2
3.6.2
3.6.3
3.7.0b0
3.7.0b1
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.7.4.post0
3.8.0a7
3.8.0b0
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.9.0b0
3.9.0b1
3.9.0rc0
3.9.0
3.9.1
3.9.2
3.9.3
3.9.4rc0
3.9.4
3.9.5
3.10.0b1
3.10.0rc0
3.10.0
3.10.1
3.10.2
3.10.3
3.10.4
3.10.5
3.10.6rc0
3.10.6rc1
3.10.6rc2
3.10.6
3.10.7
3.10.8
3.10.9
3.10.10
3.10.11rc0
3.10.11
3.11.0b0
3.11.0b1
3.11.0b2
3.11.0b3
3.11.0b4
3.11.0b5
3.11.0rc0
3.11.0rc1
3.11.0rc2
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.11.5
3.11.6
3.11.7
3.11.8
3.11.9
3.11.10
3.11.11
3.11.12
3.11.13
3.11.14
3.11.15
3.11.16
3.11.17
3.11.18
3.12.0b0
3.12.0b1
3.12.0b2
3.12.0b3
3.12.0rc0
3.12.0rc1
3.12.0
3.12.1rc0
3.12.1
3.12.2
3.12.3
3.12.4
3.12.6
3.12.7rc0
3.12.7
3.12.8
3.12.9
3.12.10
3.12.11
3.12.12
3.12.13
3.12.14
3.12.15
3.13.0
3.13.1
3.13.2
3.13.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mwh4-6h8g-pg8w/GHSA-mwh4-6h8g-pg8w.json"
last_known_affected_version_range 
"<= 3.13.3"