Main Vulnerability Database Vulnerabilities #VU133242

Deserialization of Untrusted Data in aiohttp - CVE-2026-34993

Published: June 2, 2026

Vulnerability identifier: #VU133242

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-34993

CWE-ID: CWE-502

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: aio-libs

Affected software:
aiohttp

Detailed vulnerability description

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in CookieJar.load() when loading untrusted input. A local privileged user can supply a crafted file to execute arbitrary code.

User interaction is required to load the crafted file.

How to mitigate CVE-2026-34993

Install security update from vendor's website.

Sources

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jg22-mg44-37j8
https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00

Deserialization of Untrusted Data in aiohttp - CVE-2026-34993

Detailed vulnerability description

How to mitigate CVE-2026-34993

Sources

Please verify you're human