CVE-2026-34993
AIOHTTP Vulnerable to Deserialization of Untrusted Data
CVSS Score
6.4
EPSS Score
0.1%
EPSS Percentile
18th
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.
| CWE | CWE-502 |
| Vendor | aio-libs |
| Product | aiohttp |
| Published | Jun 2, 2026 |
| Last Updated | Jun 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for aio-libs aiohttp
Be the first to know when new medium vulnerabilities affecting aio-libs aiohttp are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
Low
Affected Versions
aio-libs / aiohttp
< 3.14.0