Skip to main content

aiohttp CVE-2026-50269

| EUVDEUVD-2026-38308 LOW
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
N/A vendor:alpine GHSA-m6qw-4cw2-hm4m
2.7
CVSS 4.0 · Vendor: vendor:alpine

Severity by source

Vendor (vendor:alpine) PRIMARY
2.7 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vendor:alpine) · only source for this CVE.

CVSS VectorVendor: vendor:alpine

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
Jun 22, 2026 - 18:23 NVD
2.7 (LOW)
Analysis Generated
Jun 12, 2026 - 15:00 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 16 pypi packages depend on aiohttp (13 direct, 3 indirect)

Ecosystem-wide dependent count for version 3.14.0.

DescriptionCVE.org

Alpine Linux: py3-aiohttp fixed in 3.14.1-r0

AnalysisAI

py3-aiohttp in Alpine Linux received a security fix packaged as version 3.14.1-r0. The nature of the underlying vulnerability - its attack vector, impact, and exploitation conditions - is not described in the available intelligence. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Unknown entry point
Exploit
Unknown vulnerability trigger
Impact
Unknown impact

Vulnerability AssessmentAI

Exploitation Exploitation conditions cannot be determined from the available data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk cannot be meaningfully assessed from the available data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario No exploit scenario can be constructed - the vulnerability type, attack vector, and required conditions are entirely absent from the available intelligence. No POC is referenced, and the CVE is not listed in CISA KEV. …
Remediation Upgrade the py3-aiohttp Alpine Linux package to version 3.14.1-r0 or later using the standard Alpine apk tooling: 'apk upgrade py3-aiohttp'. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-47627 HIGH POC
7.5 Nov 14

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vul

CVE-2023-37276 HIGH POC
7.5 Jul 19

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vul

CVE-2023-47641 MEDIUM POC
6.5 Nov 14

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.5), this v

CVE-2022-33124 MEDIUM POC
5.5 Jun 23

AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). Rated me

CVE-2023-49082 MEDIUM POC
5.3 Nov 29

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 5.3), this v

CVE-2023-49081 MEDIUM POC
5.3 Nov 30

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 5.3), this v

CVE-2024-52303 HIGH
8.7 Nov 18

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 8.7), this vul

CVE-2025-69228 HIGH
7.5 Jan 06

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a reques

CVE-2025-69227 HIGH
7.5 Jan 06

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an i

CVE-2025-69223 HIGH
7.5 Jan 05

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bo

CVE-2025-53643 HIGH
7.5 Jul 14

AIOHTTP versions prior to 3.12.14 contain a request smuggling vulnerability in the Python parser that fails to properly

CVE-2024-30251 HIGH
7.5 May 02

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vul

Share

CVE-2026-50269 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy