CVE-2026-54279
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
In the AIOHTTP library before version 3.14.1, there is a vulnerability where host-only cookies saved with CookieJar.save() and later restored with CookieJar.load() lose their host-only status.
Risk Assessment
An attacker could exploit this flaw to send cookies intended only for a specific host to other domains, potentially leading to session and authorization security breaches.
Recommendation
Immediately update the AIOHTTP library to version 3.14.1 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save() and then restored later with CookieJar.load() lose their host-only status. This vulnerability is fixed in 3.14.1.

