CRITICAL9.1CVE-2026-34520AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass from 0
HIGH7.5CVE-2026-47265AIOHTTP is vulnerable to cross-origin redirect with per-request cookies from 0
HIGH7.5AIOHTTP has a Multipart Header Size Bypass
from 0
HIGH7.5AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector
from 0
HIGH7.5AIOHTTP vulnerable to denial of service through large payloads
from 0
HIGH7.5AIOHTTP vulnerable to DoS when bypassing asserts
from 0
HIGH7.5AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
from 0
HIGH7.5AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
from 0
HIGH7.5aiohttp allows request smuggling due to incorrect parsing of chunk extensions
from 0, < 3.7.4-1+deb11u1
HIGH7.5aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method
from 0, < 3.10.11-1
HIGH7.5aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests
from 0, < 3.7.4-1+deb11u1
HIGH7.2aiohttp's ClientSession is vulnerable to CRLF injection via version
from 0, < 3.7.4-1+deb11u1
MEDIUM6.5AIOHTTP's unicode processing of header values could cause parsing discrepancies
from 0
MEDIUM6.5aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators
from 0, < 3.7.4-1+deb11u1
MEDIUM6.4AIOHTTP is Vulnerable to Deserialization of Untrusted Data
from 0
MEDIUM6.1aiohttp Cross-site Scripting vulnerability on index pages for static file handling
from 0, < 3.7.4-1+deb11u1
MEDIUM5.9aiohttp is vulnerable to directory traversal
from 0, < 3.7.4-1+deb11u1
MEDIUM5.3AIOHTTP accepts duplicate Host headers
from 0
MEDIUM5.3AIOHTTP has HTTP response splitting via \r in reason phrase
from 0
MEDIUM5.3AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
from 0
MEDIUM5.3AIOHTTP has late size enforcement for non-file multipart fields causes memory DoS
from 0
MEDIUM5.3AIOHTTP has CRLF injection through multipart part content type header construction
from 0
MEDIUM5.3AIOHTTP Vulnerable to Cookie Parser Warning Storm
from 0, < 3.13.3-1
MEDIUM5.3AIOHTTP vulnerable to DoS through chunked messages
from 0
MEDIUM5.3AIOHTTP vulnerable to brute-force leak of internal static file path components
from 0
MEDIUM5.3AIOHTTP has unicode match groups in regexes for ASCII protocol elements
from 0
MEDIUM5.3aiohttp's ClientSession is vulnerable to CRLF injection via method
from 0, < 3.7.4-1+deb11u1
MEDIUM5.3python-aiohttp - security update
from 0, < 3.7.4-1+deb11u1
MEDIUM5.3python-aiohttp - security update
from 0, < 3.7.4-1+deb11u1
MEDIUM5.3python-aiohttp - security update
from 0, < 3.8.4-1+deb12u1
MEDIUM5.3aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser
from 0
MEDIUM4.8In aiohttp, compressed files as symlinks are not protected from path traversal
from 0
LOW3.4Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks
from 0, < 3.7.4-1+deb11u1
LOW3.1python-aiohttp - security update
from 0, < 3.5.1-1+deb10u1
LOW3.1python-aiohttp - security update
from 0, < 3.7.4-1
—aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage
from 0