CVE-2026-34993

medium

Published 2026-06-02 · Modified 2026-06-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

6.4

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L

CVSS v4 NEW

—

not yet in upstream

VIR risk

6.4

Description

AIOHTTP is Vulnerable to Deserialization of Untrusted Data

Predictions

Exploit likelihood

64%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-34993 NameCVE-2026-34993 DescriptionAIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue.…

Workaround

on older releases would be to sanitize the files before loading. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus python-aiohttp (PTS)bullseye3.7.4-1vulnerable bullseye (security)3.7.4-1+deb11u2vulnerable bookworm, bookworm (security)3.8.4-1+deb12u1vulnerable trixie (security), trixie3.11.16-1+deb13u1vulnerable forky, sid3.13.5-1vulnerable The information below is based on the following data on fixed versions. PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs python-aiohttpsource(unstable)(unfixed) Notes https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jg22-mg44-37j8 https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00 (v3.14.0)

CVE-2026-34993

Name	CVE-2026-34993
Description	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
python-aiohttp (PTS)	bullseye	3.7.4-1	vulnerable
	bullseye (security)	3.7.4-1+deb11u2	vulnerable
	bookworm, bookworm (security)	3.8.4-1+deb12u1	vulnerable
	trixie (security), trixie	3.11.16-1+deb13u1	vulnerable
	forky, sid	3.13.5-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
python-aiohttp	source	(unstable)	(unfixed)

Notes

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jg22-mg44-37j8
https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00 (v3.14.0)

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jg22-mg44-37j8https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00 (v3.14.0)

OS impact

Debian Affected 5 releases

Version	Status	Fixed in
trixie	Affected	—
sid	Affected	—
forky	Affected	—
bullseye	Affected	—
bookworm	Affected	—

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	aiohttp	`<3.14.0`	`3.14.0`

References

CWEs

CWE-502

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.