CVE-2026-54279
Analyzed
Analyzed - Analysis Complete
Host-Only Cookie Handling Flaw in AIOHTTP
Vulnerability report for CVE-2026-54279, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-22
Last updated on: 2026-06-26
Assigner: GitHub, Inc.
Description
Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save() and then restored later with CookieJar.load() lose their host-only status. This vulnerability is fixed in 3.14.1.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aiohttp | aiohttp | to 3.14.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-665 | The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. |