NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-34993

Summary	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.
Publication Date	June 3, 2026, 5:16 a.m.
Registration Date	June 4, 2026, 4:15 a.m.
Last Update	June 3, 2026, 5:16 a.m.

CVSS3.1 : MEDIUM
スコア	6.4
Vector	CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L
攻撃元区分(AV)	ローカル
攻撃条件の複雑さ(AC)	高
攻撃に必要な特権レベル(PR)	高
利用者の関与(UI)	要
影響の想定範囲(S)	変更あり
機密性への影響(C)	低
完全性への影響(I)	高
可用性への影響(A)	低

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00	security-advisories@github.com
2	https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jg22-mg44-37j8	security-advisories@github.com

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-502	信頼性のないデータのデシリアライゼーション	https://cwe.mitre.org/data/definitions/502.html