CVE-2026-34525

Published: Apr 1, 2026

Modified: Apr 2, 2026

PUBLISHED

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.

Vendor	Product	Versions
aio-libs	aiohttp	affected `< 3.13.4`

Weaknesses (CWE)

CWE-20

CWE-444

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-c427-h43c-vf67

x_refsource_CONFIRM

https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000

x_refsource_MISC

https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349

x_refsource_MISC

https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-34525

Description

Affected Products

Weaknesses (CWE)

References