{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:8c29e938-84d7-505b-a5b6-8fed37e54aa7", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare", "type": "library", "name": "aiohttp", "version": "3.8.5.post7+tuxcare", "purl": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:f27ec0fd-e677-5647-9ac1-afdf9e14c938", "id": "CVE-2023-47627", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-47627 is fixed in version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:8b419f0f-11fc-596e-a8c6-e8fdcacced48", "id": "CVE-2023-49081", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-49081 is fixed in version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:2e01b7f3-6399-5ea9-8ec2-f40fe4e06705", "id": "CVE-2023-49082", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-49082 is fixed in version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:09ef42e6-ce1a-5d3d-ad52-3b8e4ef75502", "id": "CVE-2024-23334", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-23334 is fixed in version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:248b5334-4284-56d6-be23-759d9310f30b", "id": "CVE-2024-23829", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-23829 is fixed in version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:04f5b892-556e-5d66-8018-badcce6462ce", "id": "CVE-2024-27306", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-27306 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:515c07d9-2988-5f06-97e7-62fcc9b6df05", "id": "CVE-2024-30251", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-30251 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:b4919d6e-4431-54dd-83d8-4f0570df8394", "id": "CVE-2024-52304", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-52304 is fixed in version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:4d302e8c-1806-5137-9d55-cefe8cbb4ae0", "id": "CVE-2025-53643", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-53643 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:492a30bd-17fc-553a-b7d2-7c5dcd03ee90", "id": "CVE-2025-69223", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69223 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:4fe35872-0eba-56c6-aa7c-d19526914609", "id": "CVE-2025-69224", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69224 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:83664bdf-13d6-5b6e-92f5-3e0bb4951ec0", "id": "CVE-2025-69225", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69225 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:4b2c2444-34a2-5e12-af51-ba1c968b095e", "id": "CVE-2025-69226", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69226 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:8e262d1e-db80-5544-90a8-2f1f549bc504", "id": "CVE-2025-69227", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69227 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:027cae3c-a84c-56b8-97f6-f3692b25a80e", "id": "CVE-2025-69228", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69228 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:77bbc8d7-6b28-5758-80e7-85864364cd21", "id": "CVE-2025-69229", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69229 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:63239ae6-0b6e-5023-b627-48f0113b0da7", "id": "CVE-2025-69230", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69230 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:ac902b60-088c-5ab3-9107-b5c1ce3be24d", "id": "CVE-2026-22815", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22815 is fixed in version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:1c9b6adc-e4da-5d0b-9c75-e1f409ae41bf", "id": "CVE-2026-34513", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34513 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:ea932632-2c2b-5545-a715-ed67327ea3ef", "id": "CVE-2026-34514", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34514 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:1cd88448-cca2-50c5-9090-c4c868bca1a1", "id": "CVE-2026-34515", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34515 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:44b89b39-a1fd-52ca-bb06-037b545daccb", "id": "CVE-2026-34516", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-34516 is fixed in version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:575f3075-3ce3-56bb-8f5f-1b70e7d330c3", "id": "CVE-2026-34517", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-34517 is fixed in version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:d36b5f0d-35ee-5c62-94cd-17d05bf0cb24", "id": "CVE-2026-34518", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34518 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:755a304c-e106-5399-a62c-5e446bd8191f", "id": "CVE-2026-34519", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-34519 is fixed in version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:f7cfd793-e6d3-53f6-8c94-6ad0418645be", "id": "CVE-2026-34520", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-34520 is fixed in version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:c88d66c2-6a6c-5a20-b17c-64373e53874c", "id": "CVE-2026-34525", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34525 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:a62b9c00-8f85-5522-9d30-bb64ae15f5f8", "id": "CVE-2026-34993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34993 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:45bc1691-4199-52e3-a8df-6e9c0ebbebbf", "id": "CVE-2026-47265", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47265 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:aa2df144-d389-5350-9873-b2a12e44fb6b", "id": "CVE-2026-50269", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50269 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:91d8172f-b0ab-5959-91ea-3626cbcf4aff", "id": "CVE-2026-54273", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54273 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:17453484-fb93-5011-ae0e-c97d0cd611c4", "id": "CVE-2026-54274", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54274 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:7ea031e1-ad30-569b-aaed-dc8cbf8bb11a", "id": "CVE-2026-54275", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54275 does not affect version 3.8.5.post7+tuxcare of aiohttp. not_affected \u2014 Version 3.8.5 does not support the per-request server_hostname parameter feature required to trigger this vulnerability. The server_hostname is always derived from req.host internally, which is already included in the ConnectionKey, preventing incorrect connection reuse." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:431d7bd3-35db-589b-b6b3-43ea0e15027e", "id": "CVE-2026-54276", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54276 does not affect version 3.8.5.post7+tuxcare of aiohttp. not_affected \u2014 DigestAuthMiddleware component does not exist in aiohttp version 3.8.5. The vulnerable component was introduced 4623 commits later in May 2025. The target version only supports BasicAuth, which already includes cross-origin protection that strips Authorization headers on redirects to different origins." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:2fcc8720-d0a4-5ca5-b176-1027ca4e08cd", "id": "CVE-2026-54277", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54277 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:feb2dd95-4f12-568c-b69a-5ba874003238", "id": "CVE-2026-54278", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54278 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:6ae41298-4bdf-5722-8b86-20a38a0efdb9", "id": "CVE-2026-54279", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54279 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:5a06c6d4-6c35-5e83-b2bb-6f683ac97246", "id": "CVE-2026-54280", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54280 does not affect version 3.8.5.post7+tuxcare of aiohttp. not_affected \u2014 Version 3.8.5 is not affected by CVE-2026-54280. The vulnerability requires the Payload.close() architecture introduced in aiohttp 3.14+, where write_eof() must explicitly call close() in a try/finally block. Version 3.8.5 uses a fundamentally different pattern: file cleanup is embedded within payload write() methods via try/finally blocks, ensuring resources are released even when transmission..." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }, { "bom-ref": "urn:uuid:c5c375c4-9e6c-504b-8169-89ddf2917952", "id": "GHSA-pjjw-qhg8-p2p9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-pjjw-qhg8-p2p9 affects version 3.8.5.post7+tuxcare of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] } ], "dependencies": [ { "ref": "pkg:pypi/aiohttp@3.8.5.post7+tuxcare" } ] }