CVE-2026-47265

7.5

HIGH CVSS 3.1

AIOHTTP vulnerable to cross-origin redirect with per-request cookies

Overview

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. If unable to upgrade, using a `Cookie` header in the `headers` parameter is not vulnerable.

Details

INFO

Published Date :

June 2, 2026, 8:16 p.m.

Last Modified :

June 5, 2026, 1:39 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]

Impact

Affected Products

The following products are affected by CVE-2026-47265 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID	Vendor	Product	Action
1	Aiohttp	aiohttp

: Total Affected Vendor : 1 | Products : 1

Scoring

CVSS Scores

The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.

Score	Version	Severity	Vector	Exploitability Score	Impact Score	Source
	CVSS 3.1	HIGH				[email protected]
	CVSS 4.0	MEDIUM				[email protected]

Solution

Update AIOHTTP to version 3.14.0 or later to prevent cookie leakage during redirects.

Upgrade AIOHTTP to version 3.14.0 or later.
Avoid using the `cookies` parameter for sensitive data.
Use the `Cookie` header in `headers` parameter instead.

Public PoC/Exploit Available at Github

CVE-2026-47265 has a 4 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-47265.

URL	Resource
https://github.com/aio-libs/aiohttp/commit/f54c40851b0d6c4bbdab97ba518a223adda32478	Patch
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hg6j-4rv6-33pg	Mitigation Patch Vendor Advisory

CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-47265 is associated with the following CWEs:

CWE-346: Origin Validation Error

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-47265 weaknesses.

CAPEC-21: Exploitation of Trusted Identifiers Exploitation of Trusted Identifiers CAPEC-59: Session Credential Falsification through Prediction Session Credential Falsification through Prediction CAPEC-60: Reusing Session IDs (aka Session Replay) Reusing Session IDs (aka Session Replay) CAPEC-75: Manipulating Writeable Configuration Files Manipulating Writeable Configuration Files CAPEC-76: Manipulating Web Input to File System Calls Manipulating Web Input to File System Calls CAPEC-89: Pharming Pharming CAPEC-111: JSON Hijacking (aka JavaScript Hijacking) JSON Hijacking (aka JavaScript Hijacking) CAPEC-141: Cache Poisoning Cache Poisoning CAPEC-142: DNS Cache Poisoning DNS Cache Poisoning CAPEC-160: Exploit Script-Based APIs Exploit Script-Based APIs CAPEC-384: Application API Message Manipulation via Man-in-the-Middle Application API Message Manipulation via Man-in-the-Middle CAPEC-385: Transaction or Event Tampering via Application API Manipulation Transaction or Event Tampering via Application API Manipulation CAPEC-386: Application API Navigation Remapping Application API Navigation Remapping CAPEC-387: Navigation Remapping To Propagate Malicious Content Navigation Remapping To Propagate Malicious Content CAPEC-388: Application API Button Hijacking Application API Button Hijacking CAPEC-510: SaaS User Request Forgery SaaS User Request Forgery

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Gabriel329-bot/awg-seldfhosted-bot

None

Makefile Python Shell

Updated: 1 week, 6 days ago

0 stars 0 fork 0 watcher

Born at : June 9, 2026, 7:13 p.m. This repo has been linked 2 different CVEs too.

OrenAshkenazy/AegisLocal

Local-first security scanning for AI applications and local LLM deployments

Python

Updated: 2 weeks ago

0 stars 0 fork 0 watcher

Born at : May 4, 2026, 5 p.m. This repo has been linked 3 different CVEs too.

Egor051/vpnbot

Telegram VPN bot for self-hosted Ubuntu VDS. Manages Xray VLESS Reality, AmneziaWG, SOCKS5/Dante, and MTProto Proxy with user approval, audit logging, and traffic statistics.

aiogram amneziawg python selfhosted sqlite systemd telegram-bot ubuntu vless-reality vpn-bot wireguard xray mtproto proxy socks5 user-management

Python Shell Makefile

Updated: 2 weeks, 2 days ago

2 stars 0 fork 0 watcher

Born at : April 20, 2026, 10:41 p.m. This repo has been linked 2 different CVEs too.

prefect421/mvidarr

MVidarr - The Music Video Management System

HTML Python Shell JavaScript CSS TypeScript Batchfile Dockerfile Mako Go Template

Updated: 2 weeks, 2 days ago

40 stars 1 fork 1 watcher

Born at : July 24, 2025, 1:49 a.m. This repo has been linked 11 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-47265 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-47265 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

Initial Analysis by [email protected]

Jun. 05, 2026

Action	Type	New Value
Added	CVSS V3.1	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Added	CPE Configuration	OR cpe:2.3:a:aiohttp:aiohttp::::::::* versions up to (excluding) 3.14.0
Added	Reference Type	GitHub, Inc.: https://github.com/aio-libs/aiohttp/commit/f54c40851b0d6c4bbdab97ba518a223adda32478 Types: Patch
Added	Reference Type	GitHub, Inc.: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hg6j-4rv6-33pg Types: Mitigation, Patch, Vendor Advisory

New CVE Received by [email protected]

Jun. 02, 2026

Action	Type	New Value
Added	Description	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. If unable to upgrade, using a `Cookie` header in the `headers` parameter is not vulnerable.
Added	CVSS V4.0	AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Added	CWE	CWE-346
Added	Reference	https://github.com/aio-libs/aiohttp/commit/f54c40851b0d6c4bbdab97ba518a223adda32478
Added	Reference	https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hg6j-4rv6-33pg

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.