CVE-2026-54279 — aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence

Description

### Summary Host-only cookies that are saved with ``CookieJar.save()`` and then restored later with ``CookieJar.load()`` lose their host-only status. ### Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed. ----- Patch: https://github.com/aio-libs/aiohttp/commit/a329a7aacad5284f087af36103aff778746da0f2

How to fix CVE-2026-54279

To remediate CVE-2026-54279, upgrade the affected package to a fixed version below.

PyPI/aiohttp—upgrade to 3.14.1 or later

Is CVE-2026-54279 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-54279.

Affected packages (1)

from 0, < 3.14.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U

References (2)

PATCHgithub.com/aio-libs/aiohttp
WEBgithub.com/aio-libs/aiohttp/security/advisories/GHSA-2fqr-mr3j-6wp8