VYPR
Medium severity6.4NVD Advisory· Published Jun 2, 2026· Updated Jun 5, 2026

CVE-2026-34993

CVE-2026-34993

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using `CookieJar.load()` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
aiohttpPyPI
< 3.14.03.14.0

Affected products

45

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.

CVE-2026-34993 · Medium · VYPR