CVE-2026-54274 | AIOHTTP is an asynchronous HTTP client/server framework for … | CVSS 6.6 MEDIUM

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1.

Metadata

CVE ID: CVE-2026-54274
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 17:13 UTC
Published: 2026-06-22 16:33 UTC
Last updated: 2026-06-22 18:14 UTC
Primary CWE: CWE-770
CWE-770: Allocation of Resources Without Limits or Throttlin…
Vendor / Product: aio-libs / aiohttp
Sources: cve.org · NVD

Severity & Metrics

6.6 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
aio-libs	aiohttp	—	< 3.14.1

Weakness (CWE)

CWE	Source	Description
CWE-770	cna	CWE-770: Allocation of Resources Without Limits or Throttling

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.6	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References (2)

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xcgm-r5h9-7989 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-xcgm-r5h9-7989
https://github.com/aio-libs/aiohttp/commit/14b6ee851fb16ec199acb950de0c82d476799e7d https://github.com/aio-libs/aiohttp/commit/14b6ee851fb16ec199acb950de0c82d476799e7d