VYPR
Moderate severityNVD Advisory· Published Apr 18, 2024· Updated Nov 3, 2025

aiohttp vulnerable to XSS on index pages for static file handling

CVE-2024-27306

Description

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable show_index if unable to upgrade.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aiohttpPyPI
< 3.9.43.9.4

Affected products

46

Patches

Vulnerability mechanics

References

13

News mentions

0

No linked articles in our index yet.