{"schema_version":"1.7.2","id":"OESA-2026-2838","modified":"2026-07-06T06:27:29Z","published":"2026-07-06T06:27:29Z","upstream":["CVE-2026-54273","CVE-2026-54274","CVE-2026-54275","CVE-2026-54276","CVE-2026-54277","CVE-2026-54278","CVE-2026-54279","CVE-2026-54280"],"summary":"python-aiohttp security update","details":"Async http client/server framework (asyncio).\r\n\r\nSecurity Fix(es):\n\nNo limit was present on the number of pipelined requests that could be queued.  Impact An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS.(CVE-2026-54273)\n\nIf an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use.  Impact If a web application has WebSocket endpoints, it may be possible for an attacker to execute a DoS attack through excessive memory use(CVE-2026-54274)\n\nIf an application makes multiple requests to the same domain, but with different per-request `server_hostname` parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check.(CVE-2026-54275)\n\nIf the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest.\r\n\r\nThis likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user&apos;s credentials if the cryptography is weak or there is some kind of password reuse.(CVE-2026-54276)\n\nIt is possible to bypass the max_line_size check in parts of an HTTP request in the C parser. Impact If using the optimized C parser (the default in pre-built wheels), then an attacker may be able to send oversized lines through the HTTP parser and use an excessive amount of memory, potentially leading to DoS.(CVE-2026-54277)\n\nAn attacker may be able to send a compressed payload in specific situations that could be decompressed into memory, potentially leading to DoS (a zip bomb edge case).(CVE-2026-54278)\n\nHost-only cookies If you save a cookie and later restore it, you lose the host-only status. CookieJar.save()CookieJar.load() affects host-only cookies loaded from disk that may be sent to subdomains that should previously have been banned(CVE-2026-54279)\n\nPayload resources are not closed correctly when a client disconnects in the middle of a write.  Impact If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file.(CVE-2026-54280)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP3","name":"python-aiohttp","purl":"pkg:rpm/openEuler/python-aiohttp&distro=openEuler-24.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.14.1-1.oe2403sp3"}]}],"ecosystem_specific":{"aarch64":["python-aiohttp-debuginfo-3.14.1-1.oe2403sp3.aarch64.rpm","python-aiohttp-debugsource-3.14.1-1.oe2403sp3.aarch64.rpm","python-aiohttp-help-3.14.1-1.oe2403sp3.aarch64.rpm","python3-aiohttp-3.14.1-1.oe2403sp3.aarch64.rpm"],"src":["python-aiohttp-3.14.1-1.oe2403sp3.src.rpm"],"x86_64":["python-aiohttp-debuginfo-3.14.1-1.oe2403sp3.x86_64.rpm","python-aiohttp-debugsource-3.14.1-1.oe2403sp3.x86_64.rpm","python-aiohttp-help-3.14.1-1.oe2403sp3.x86_64.rpm","python3-aiohttp-3.14.1-1.oe2403sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2838"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54273"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54274"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54275"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54276"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54277"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54278"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54279"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54280"}],"database_specific":{"severity":"Medium"}}
