CVE-2026-34525

Summary

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.

Affected Software

VendorProductVersion RangeStatus
aio-libsaiohttp< 3.13.4affected

Weaknesses

  • CWE-20: CWE-20: Improper Input Validation
  • CWE-444: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References