CVE-2026-50269
AIOHTTP: CRLF injection in multipart headers
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.append(headers=...) or Payload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request. This vulnerability is fixed in 3.14.0.
| CWE | CWE-93 CWE-113 |
| Vendor | aio-libs |
| Product | aiohttp |
| Published | Jun 22, 2026 |
| Last Updated | Jun 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for aio-libs aiohttp
Be the first to know when new unknown vulnerabilities affecting aio-libs aiohttp are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
aio-libs / aiohttp
< 3.14.0