CVE-2026-34993
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
In the AIOHTTP library before version 3.14.0, a vulnerability allows arbitrary code execution when loading untrusted data via the ``CookieJar.load()`` function. The issue primarily affects applications that allow loading attacker-controlled files.
Risk Assessment
The risk for the organization is the potential for code injection and application compromise when processing cookie files. Although most applications use this function with their own data, accepting user-supplied files poses a serious threat.
Recommendation
Immediately upgrade AIOHTTP to version 3.14.0 or later. If upgrading is not possible, sanitize all files before loading them with ``CookieJar.load()``.
Original NVD description (English source)
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.

