PYSEC-2026-2104

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/aiohttp/PYSEC-2026-2104.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2104
Aliases
Published
2026-06-02T20:16:34.857Z
Modified
2026-07-13T07:15:12.748393707Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using CookieJar.load() with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.

References

Affected packages

PyPI / aiohttp

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.14.0

Affected versions

0.*
0.1
0.2
0.3
0.4
0.4.1
0.4.2
0.4.3
0.4.4
0.5.0
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.7.0
0.7.1
0.7.2
0.7.3
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.9.0
0.9.1
0.9.2
0.9.3
0.10.0
0.10.1
0.10.2
0.11.0
0.12.0
0.13.0
0.13.1
0.14.0
0.14.1
0.14.2
0.14.3
0.14.4
0.15.0
0.15.1
0.15.2
0.15.3
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.16.5
0.16.6
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.18.0
0.18.1
0.18.2
0.18.3
0.18.4
0.19.0
0.20.0
0.20.1
0.20.2
0.21.0
0.21.1
0.21.2
0.21.4
0.21.5
0.21.6
0.22.0a0
0.22.0b0
0.22.0b1
0.22.0b2
0.22.0b3
0.22.0b4
0.22.0b5
0.22.0b6
0.22.0
0.22.1
0.22.2
0.22.3
0.22.4
0.22.5
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.5
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
2.*
2.0.0rc1
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.1.0
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.3.0a1
2.3.0a2
2.3.0a3
2.3.0a4
2.3.0
2.3.1a1
2.3.1
2.3.2b2
2.3.2b3
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.10
3.*
3.0.0b0
3.0.0b1
3.0.0b2
3.0.0b3
3.0.0b4
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0
3.1.1
3.1.2
3.1.3
3.2.0
3.2.1
3.3.0a0
3.3.0
3.3.1
3.3.2a0
3.3.2
3.4.0a0
3.4.0a3
3.4.0b1
3.4.0b2
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.5.0a1
3.5.0b1
3.5.0b2
3.5.0b3
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.6.0a0
3.6.0a1
3.6.0a2
3.6.0a3
3.6.0a4
3.6.0a5
3.6.0a6
3.6.0a7
3.6.0a8
3.6.0a9
3.6.0a11
3.6.0a12
3.6.0b0
3.6.0
3.6.1b3
3.6.1b4
3.6.1
3.6.2a0
3.6.2a1
3.6.2a2
3.6.2
3.6.3
3.7.0b0
3.7.0b1
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.7.4.post0
3.8.0a7
3.8.0b0
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.9.0b0
3.9.0b1
3.9.0rc0
3.9.0
3.9.1
3.9.2
3.9.3
3.9.4rc0
3.9.4
3.9.5
3.10.0b1
3.10.0rc0
3.10.0
3.10.1
3.10.2
3.10.3
3.10.4
3.10.5
3.10.6rc0
3.10.6rc1
3.10.6rc2
3.10.6
3.10.7
3.10.8
3.10.9
3.10.10
3.10.11rc0
3.10.11
3.11.0b0
3.11.0b1
3.11.0b2
3.11.0b3
3.11.0b4
3.11.0b5
3.11.0rc0
3.11.0rc1
3.11.0rc2
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.11.5
3.11.6
3.11.7
3.11.8
3.11.9
3.11.10
3.11.11
3.11.12
3.11.13
3.11.14
3.11.15
3.11.16
3.11.17
3.11.18
3.12.0b0
3.12.0b1
3.12.0b2
3.12.0b3
3.12.0rc0
3.12.0rc1
3.12.0
3.12.1rc0
3.12.1
3.12.2
3.12.3
3.12.4
3.12.6
3.12.7rc0
3.12.7
3.12.8
3.12.9
3.12.10
3.12.11
3.12.12
3.12.13
3.12.14
3.12.15
3.13.0
3.13.1
3.13.2
3.13.3
3.13.4
3.13.5

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/aiohttp/PYSEC-2026-2104.yaml"