CVE-2026-47265

MEDIUM EPSS 4.6%
Published Jun 2, 20264w ago · Modified Jun 17, 20262w ago
6.6 CVSS 4.0
Medium
Find Similar
Published Jun 2, 2026 4w ago
Last Modified Jun 17, 2026 2w ago

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. If unable to upgrade, using a `Cookie` header in the `headers` parameter is not vulnerable.

CVSS Details

Base Score
6.6
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
4.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-346

Affected Products 1

VendorProductVersionRange
aiohttpaiohttp* <3.14.0

References 2

  • github.com https://github.com/aio-libs/aiohttp/commit/f54c40851b0d6c4bbdab97ba518a223adda32478
    Patch
  • github.com https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hg6j-4rv6-33pg
    MitigationPatchVendor Advisory

Remediation

  • github.com https://github.com/aio-libs/aiohttp/commit/f54c40851b0d6c4bbdab97ba518a223adda32478
    Patch
  • github.com https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hg6j-4rv6-33pg
    MitigationPatchVendor Advisory