Skip to main content

Python CVE-2026-34517

| EUVDEUVD-2026-18041 LOW
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-01 GitHub_M GHSA-3wq7-rqq7-wx6j
2.7
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.7 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 02, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 01, 2026 - 21:00 euvd
EUVD-2026-18041
Analysis Generated
Apr 01, 2026 - 21:00 vuln.today
CVE Published
Apr 01, 2026 - 20:14 nvd
LOW 2.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 122 pypi packages depend on aiohttp (43 direct, 79 indirect)

Ecosystem-wide dependent count for version 3.13.4.

DescriptionGitHub Advisory

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.

AnalysisAI

Aiohttp prior to version 3.13.4 allocates entire multipart form fields into memory before validating against the client_max_size limit, enabling unauthenticated remote attackers to cause denial of service through memory exhaustion. The vulnerability affects all versions before 3.13.4 and carries a low CVSS score (2.7) reflecting limited availability impact, with no public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

Aiohttp is a Python asynchronous HTTP framework built on asyncio, commonly used for building high-concurrency web services. The vulnerability exists in multipart form data parsing logic (CWE-770: Allocation of Resources Without Limits or Throttling), where the framework loads multipart fields entirely into memory before enforcing the client_max_size constraint. This violates the principle of streaming parsing and fail-safe defaults. The issue is specific to multipart/form-data content-type handling; the affected CPE is cpe:2.3:a:aio-libs:aiohttp:*:*:*:*:*:*:*:* with versions prior to 3.13.4 impacted.

RemediationAI

Vendor-released patch: Aiohttp 3.13.4 or later. Upgrade immediately via pip (pip install --upgrade aiohttp>=3.13.4) to receive the fix commit cbb774f38330563422ca0c413a71021d7b944145, which enforces client_max_size validation before full field buffering. No workarounds are documented for earlier versions other than external request-size filtering at the load-balancer or reverse-proxy layer (e.g., nginx client_max_body_size directive). See https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4 for release notes and https://github.com/aio-libs/aiohttp/security/advisories/GHSA-3wq7-rqq7-wx6j for advisory details.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-34517 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy