CVE Catalog

CVE-2026-54279

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile — higher than 20% of all known CVEs

Summary

In the AIOHTTP library before version 3.14.1, there is a vulnerability where host-only cookies saved with CookieJar.save() and later restored with CookieJar.load() lose their host-only status.

Risk Assessment

An attacker could exploit this flaw to send cookies intended only for a specific host to other domains, potentially leading to session and authorization security breaches.

Recommendation

Immediately update the AIOHTTP library to version 3.14.1 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save() and then restored later with CookieJar.load() lose their host-only status. This vulnerability is fixed in 3.14.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS