{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:3399991a-a601-5358-b08e-1ea2bfb661ff", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:pypi/aiohttp@3.8.5", "type": "library", "name": "aiohttp", "version": "3.8.5", "purl": "pkg:pypi/aiohttp@3.8.5" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:37dbf6ec-8d12-5168-a477-1c3442f0a76a", "id": "CVE-2024-27306", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-27306 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:660e5f25-593f-5d11-a7c0-afbb8abd60d3", "id": "CVE-2024-30251", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-30251 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:7bc3b43e-3c3e-5bbe-8181-bf806d20cfe8", "id": "CVE-2025-53643", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-53643 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:b1707e8c-e1fa-5de5-b654-9d1c38e298c8", "id": "CVE-2025-69223", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69223 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:db53bb1e-7227-5e72-851c-7e722136de26", "id": "CVE-2025-69224", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69224 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:abff1cdb-8f0e-5c63-940e-a4dab361f47e", "id": "CVE-2025-69225", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69225 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:e19c2ed2-cd50-51df-a30e-63e54efeabb4", "id": "CVE-2025-69226", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69226 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:c94f0df8-0787-52d8-b209-f2344ea65044", "id": "CVE-2025-69227", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69227 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:866c8f62-96ff-5f9b-9259-c71b5315ca86", "id": "CVE-2025-69228", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69228 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:98544f9f-4db7-5eba-911b-40ccef972610", "id": "CVE-2025-69229", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69229 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:7d466c85-4dd2-549f-9810-09ab5e2c101b", "id": "CVE-2025-69230", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69230 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:5e7df2b1-86f6-5201-9a72-18fbeeec12de", "id": "CVE-2026-34515", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34515 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:56dff01c-ac6e-571d-b63b-0e5490176eca", "id": "CVE-2026-34525", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34525 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:383cca73-9890-5703-b21e-b68de224c5b5", "id": "CVE-2026-34993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34993 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:4deb6be2-00f7-5dc8-beee-44fd117e1848", "id": "CVE-2026-47265", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47265 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:120df206-dfae-5512-900d-5c04609cb1fc", "id": "CVE-2026-50269", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50269 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:9bdac4b8-59d4-5b0b-b52a-ceaa73371892", "id": "CVE-2026-54273", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54273 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:793510f3-19dd-53e6-813a-d9d4398662c3", "id": "CVE-2026-54274", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54274 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:e2fb91f1-d5b7-5cd2-b8ba-0f84cf0a1ee1", "id": "CVE-2026-54275", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54275 does not affect version 3.8.5 of aiohttp. not_affected \u2014 Version 3.8.5 does not support the per-request server_hostname parameter feature required to trigger this vulnerability. The server_hostname is always derived from req.host internally, which is already included in the ConnectionKey, preventing incorrect connection reuse." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:db2d801b-46ec-5d03-ba48-e243fcf6d6ce", "id": "CVE-2026-54276", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54276 does not affect version 3.8.5 of aiohttp. not_affected \u2014 DigestAuthMiddleware component does not exist in aiohttp version 3.8.5. The vulnerable component was introduced 4623 commits later in May 2025. The target version only supports BasicAuth, which already includes cross-origin protection that strips Authorization headers on redirects to different origins." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:ba30d176-1baa-5f6c-b180-f57b3db74035", "id": "CVE-2026-54277", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54277 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:23180a39-b896-5656-9594-1b9210fa27d7", "id": "CVE-2026-54278", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54278 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:c1e16e83-1bd6-5858-bdd1-0e916c6230be", "id": "CVE-2026-54279", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54279 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:0640b289-4d7f-549d-8fc1-50f4dd3d1754", "id": "CVE-2026-54280", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54280 does not affect version 3.8.5 of aiohttp. not_affected \u2014 Version 3.8.5 is not affected by CVE-2026-54280. The vulnerability requires the Payload.close() architecture introduced in aiohttp 3.14+, where write_eof() must explicitly call close() in a try/finally block. Version 3.8.5 uses a fundamentally different pattern: file cleanup is embedded within payload write() methods via try/finally blocks, ensuring resources are released even when transmission..." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }, { "bom-ref": "urn:uuid:65bd39a7-4c06-5fe5-a278-0adda6d5ecf6", "id": "GHSA-pjjw-qhg8-p2p9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-pjjw-qhg8-p2p9 affects version 3.8.5 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] } ], "dependencies": [ { "ref": "pkg:pypi/aiohttp@3.8.5" } ] }