CVE-2026-34514

ADVISORY - github

Summary

An attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits.

Impact

If an application allows untrusted data to be used for the multipart content_type parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.

Patch: https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06

EPSS Score⁠: 0.00045 (0.138)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-113⁠

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

ADVISORY - github

CWE-113⁠

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

ADVISORY - redhat

CWE-93⁠

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.