CVE-2026-34993
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
6.4
MEDIUM
CVSS 3.1
描述
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.
如何修補 CVE-2026-34993
要修補 CVE-2026-34993,請將受影響套件升級到下列已修補版本。
- —未列出修補版本
- —升級至 3.14.0 或更新版本
CVE-2026-34993 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-34993 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(2)
- from 0
- from 0, < 3.14.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.4 | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L |