CVE-2026-34514
MEDIUMAIOHTTP: CRLF injection in multipart part content type header construction
Title source: cnaDescription
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-2vrm-gr82-f7m5
X_Refsource_Misc x_refsource_misc
https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06
X_Refsource_Misc x_refsource_misc
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
Scores
CVSS v3
5.3
EPSS
0.0032
EPSS Percentile
23.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-113
Status
published
Products (3)
aio-libs/aiohttp
< 3.13.4
aiohttp/aiohttp
< 3.13.4
pypi/aiohttp
0 - 3.13.4PyPI
Published
Apr 01, 2026
Tracked Since
Apr 02, 2026