Sign In

CVE-2026-34520

ADVISORY - github

Summary

Summary

The C parser (the default for most installs) accepted null bytes and control characters is response headers.

Impact

An attacker could send header values that are interpreted differently than expected due to the presence of control characters. For example, request.url.origin() may return a different value than the raw Host header, or what a reverse proxy interpreted it as., potentially resulting in some kind of security bypass.

Patch: https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4

EPSS Score: 0.00042 (0.130)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

ADVISORY - github

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

ADVISORY - redhat

CWE-1286

Improper Validation of Syntactic Correctness of Input

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2026-34520
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-113

CVSS SCORE

2.7low

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-63hf-3vf5-4wqf
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-113

CVSS SCORE

2.7low

Debian

CREATED

UPDATED

ADVISORY IDCVE-2026-34520
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

UPDATED

ADVISORY IDCVE-2026-34520
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Red Hat

CREATED

UPDATED

ADVISORY IDCVE-2026-34520
EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1286

CVSS SCORE

3.7low

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-fc4p-xm64-477h

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY