| CVE-2021-21330 |
low |
— |
2.5 |
|
|
|
5y ago |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based… |
| CVE-2024-23334 |
unknown |
— |
1.0 |
|
|
|
2y ago |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static f… |
| CVE-2026-47265 |
unknown |
— |
— |
|
|
|
1d ago |
AIOHTTP is vulnerable to cross-origin redirect with per-request cookies |
| CVE-2026-34525 |
unknown |
— |
— |
|
|
|
2mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4. |
| CVE-2026-34520 |
unknown |
— |
— |
|
|
|
2mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in res… |
| CVE-2026-34519 |
unknown |
— |
— |
|
|
|
2mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject e… |
| CVE-2026-34518 |
unknown |
— |
— |
|
|
|
2mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but re… |
| CVE-2026-34517 |
unknown |
— |
— |
|
|
|
2mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking clie… |
| CVE-2026-34516 |
unknown |
— |
— |
|
|
|
2mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory tha… |
| CVE-2026-34515 |
unknown |
— |
— |
|
|
|
2mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This… |
| CVE-2026-34514 |
unknown |
— |
— |
|
|
|
2mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra … |
| CVE-2026-34513 |
unknown |
— |
— |
|
|
|
2mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situ… |
| CVE-2026-22815 |
unknown |
— |
— |
|
|
|
2mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This i… |
| CVE-2025-69230 |
unknown |
— |
— |
|
|
|
5mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is… |
| CVE-2025-69229 |
unknown |
— |
— |
|
|
|
5mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a … |
| CVE-2025-69228 |
unknown |
— |
— |
|
|
|
5mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontro… |
| CVE-2025-69227 |
unknown |
— |
— |
|
|
|
5mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS a… |
| CVE-2025-69226 |
unknown |
— |
— |
|
|
|
5mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path no… |
| CVE-2025-69225 |
unknown |
— |
— |
|
|
|
5mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There… |
| CVE-2025-69224 |
unknown |
— |
— |
|
|
|
5mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII… |
| CVE-2025-69223 |
unknown |
— |
— |
|
|
|
5mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be a… |
| CVE-2025-53643 |
unknown |
— |
— |
|
|
|
11mo ago |
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trail… |
| CVE-2024-52304 |
unknown |
— |
— |
|
|
|
2y ago |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request s… |
| CVE-2024-52303 |
unknown |
— |
— |
|
|
|
2y ago |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError… |
| CVE-2024-42367 |
unknown |
— |
— |
|
|
|
2y ago |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.g… |
| CVE-2024-30251 |
unknown |
— |
— |
|
|
|
2y ago |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp serv… |
| CVE-2024-27306 |
unknown |
— |
— |
|
|
|
2y ago |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have alway… |
| CVE-2024-23829 |
unknown |
— |
— |
|
|
|
2y ago |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must tr… |
| CVE-2023-49081 |
unknown |
— |
— |
|
|
|
3y ago |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create… |
| CVE-2023-49082 |
unknown |
— |
— |
|
|
|
3y ago |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even cre… |
| CVE-2023-47627 |
unknown |
— |
— |
|
|
|
3y ago |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parse… |
| CVE-2023-47641 |
unknown |
— |
— |
|
|
|
3y ago |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protoc… |
| CVE-2023-37276 |
unknown |
— |
— |
|
|
|
3y ago |
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request pars… |
