CVE Catalog

CVE-2026-34993

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile - higher than 3% of all known CVEs

Summary

In the AIOHTTP library before version 3.14.0, a vulnerability allows arbitrary code execution when loading untrusted data via the ``CookieJar.load()`` function. The issue primarily affects applications that allow loading attacker-controlled files.

Risk Assessment

The risk for the organization is the potential for code injection and application compromise when processing cookie files. Although most applications use this function with their own data, accepting user-supplied files poses a serious threat.

Recommendation

Immediately upgrade AIOHTTP to version 3.14.0 or later. If upgrading is not possible, sanitize all files before loading them with ``CookieJar.load()``.

Original NVD description (English source)

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS