CVE-2026-47265EPSS p4.5%

CVE-2026-47265CVE-2026-47265

aiohttp / aiohttp

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. If unable to upgrade, using a `Cookie` header in the `headers` parameter is not vulnerable.

Scoring

CVSS 7.5 ()
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS0.15% probability of exploitation · percentile 4.5% · 2026-06-19T12:03:05Z
Last modified2026-06-05

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34993
CVE
CVE-2026-34520
CVE
CVE-2026-45300
CVE
CVE-2026-42043
CVE
CVE-2026-34356
CVE
CVE-2026-48856
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.