{"vulnerability": "CVE-2026-47265", "sightings": [{"uuid": "cfcf2dde-864c-484b-96c1-f3de38d95e87", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47265", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mndhkudytl24", "content": "CVE-2026-47265 - AIOHTTP vulnerable to cross-origin redirect with per-request cookies\nCVE ID : CVE-2026-47265\n \n Published : June 2, 2026, 6:32 p.m. | 1\u00a0hour, 52\u00a0minutes ago\n \n Description : AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior ...", "creation_timestamp": "2026-06-02T20:44:46.998891Z"}, {"uuid": "258a00f9-74b6-4af8-9f05-ad8346c09aec", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-47265", "type": "seen", "source": "https://gist.github.com/alon710/9df1d7e2f4cb5ed041eded527313ebbc", "content": "# CVE-2026-47265: CVE-2026-47265: Cross-Origin Cookie Leakage in AIOHTTP Client Redirects\n\n> **CVSS Score:** 6.6\n> **Published:** 2026-06-03\n> **Full Report:** https://cvereports.com/reports/CVE-2026-47265\n\n## Summary\nAIOHTTP prior to version 3.14.0 fails to clear request-specific cookies when executing cross-origin automatic HTTP redirects. This vulnerability allows remote web servers to harvest sensitive credentials and session cookies originally scoped to an authorized target domain.\n\n## TL;DR\nAIOHTTP fails to clear the per-request `cookies` parameter during cross-origin redirects, causing sensitive cookies to be transmitted to untrusted third-party servers.\n\n## Technical Details\n\n- **CWE ID**: CWE-346: Origin Validation Error\n- **Attack Vector**: Network\n- **CVSS Score**: 6.6 (Medium)\n- **EPSS Score**: 0.00019 (Percentile: 5.36%)\n- **Impact**: High Confidentiality Loss (Credential Leakage)\n- **Exploit Status**: none\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- AIOHTTP asynchronous HTTP client framework\n- **aiohttp**: < 3.14.0 (Fixed in: `3.14.0`)\n\n## Mitigation\n\n- Upgrade aiohttp to version 3.14.0 or newer to ensure standard origin validation logic applies to local cookie variables.\n- Manually format the Cookie header inside the headers parameter as a temporary workaround if upgrading is not immediately possible.\n- Enforce network-level restrictions on outgoing requests or disable automatic redirect following (allow_redirects=False) when handling high-privilege credentials.\n\n**Remediation Steps:**\n1. Identify all microservices and automated Python scripts utilizing aiohttp for outbound HTTP calls.\n2. Analyze client instances to locate usage of client.get() or client.post() passing the 'cookies' parameter.\n3. Modify dependencies to target aiohttp >= 3.14.0.\n4. In legacy systems, refactor 'cookies' arguments into the 'headers' parameter as 'Cookie: key=value'.\n\n## References\n\n- [AIOHTTP Security Advisory](https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hg6j-4rv6-33pg)\n- [CVE-2026-47265 Record](https://www.cve.org/CVERecord?id=CVE-2026-47265)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-47265) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-03T23:40:58.000000Z"}]}