What is GHSA-jg22-mg44-37j8?

GHSA-jg22-mg44-37j8 is a security advisory published by GitHub Security Advisories with Medium severity. AIOHTTP is Vulnerable to Deserialization of Untrusted Data

Which CVE IDs does GHSA-jg22-mg44-37j8 cover?

GHSA-jg22-mg44-37j8 covers the following CVE IDs: CVE-2026-34993. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-jg22-mg44-37j8?

GHSA-jg22-mg44-37j8 has a CVSS v3 base score of 6.4, published by GitHub Security Advisories.

Which products are affected by GHSA-jg22-mg44-37j8?

GHSA-jg22-mg44-37j8 affects 1 product, including: pip/aiohttp:\u003c 3.14.0.

GHSA-jg22-mg44-37j8MediumCVSS 6.4

AIOHTTP is Vulnerable to Deserialization of Untrusted Data

Vendor

GitHub Security Advisories

Published

June 3, 2026

Last Modified

June 3, 2026

🔗 CVE IDs covered (1)

CVE-2026-34993 →

📋 Description

Summary

Using CookieJar.load() with untrusted input may allow arbitrary code execution.

Impact

Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications.

Workaround

If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitise the files before loading.

Patch: https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00

🎯 Affected products1

pip/aiohttp:< 3.14.0

🔗 References (4)

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jg22-mg44-37j8
https://nvd.nist.gov/vuln/detail/CVE-2026-34993
https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00
https://github.com/advisories/GHSA-jg22-mg44-37j8