CVE-2026-54274 — aiohttp: Incomplete websocket frame payloads bypass memory limits

Description

### Summary If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. ### Impact If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive memory use. ----- Patch: https://github.com/aio-libs/aiohttp/commit/14b6ee851fb16ec199acb950de0c82d476799e7d

How to fix CVE-2026-54274

To remediate CVE-2026-54274, upgrade the affected package to a fixed version below.

PyPI/aiohttp—upgrade to 3.14.1 or later

Is CVE-2026-54274 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-54274.

Affected packages (1)

from 0, < 3.14.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References (2)

PATCHgithub.com/aio-libs/aiohttp
WEBgithub.com/aio-libs/aiohttp/security/advisories/GHSA-xcgm-r5h9-7989