anonhaven
Ad

CVE-2026-34525

MEDIUM CVSS 4.0: 6.3 EPSS 0.08%
Updated Apr 01, 2026
Python
Parameter Value
CVSS 6.3 (MEDIUM)
Fixed In 3.13.4
Type CWE-20 (Improper Input Validation), CWE-444
Vendor Python
Public PoC No

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-20 Improper Input Validation
CWE-444

References 4

https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b…
security-advisories@github.com
https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed…
security-advisories@github.com
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
security-advisories@github.com
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-c427-h43c-vf67
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-35002

Python

9.3

CVE-2026-34520

Python

2.7

CVE-2026-34519

Python

2.7

CVE-2026-34518

Python

2.7

CVE-2026-34517

Python

2.7