{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:2daf3bb0-e460-557f-894f-0b1696783b36", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:pypi/aiohttp@3.8.6", "type": "library", "name": "aiohttp", "version": "3.8.6", "purl": "pkg:pypi/aiohttp@3.8.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:ee239612-9824-5938-9e27-2b40ddd5f878", "id": "CVE-2023-49081", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-49081 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:96a93766-1bd5-5472-bd7d-93029c116cd5", "id": "CVE-2024-23334", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-23334 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:762947b2-03e3-536e-93fa-c33c7f841ddd", "id": "CVE-2024-23829", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-23829 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:a612f0f1-4956-5881-b632-31f79a4c88bc", "id": "CVE-2024-27306", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-27306 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:847248d6-95bd-5a1c-88f7-4ea390886a46", "id": "CVE-2024-52304", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-52304 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:360c9974-5f5c-5c51-9ceb-ab2cd43052dd", "id": "CVE-2025-53643", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-53643 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:a905b5a0-02cf-5c1b-a552-bece56af5b88", "id": "CVE-2025-69223", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69223 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:a5d45b04-6316-55e8-8e9d-1b0edcd28630", "id": "CVE-2025-69224", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69224 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:a1769b39-f403-54fb-975b-ff97dc61b097", "id": "CVE-2025-69225", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69225 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:c78fd721-e235-5ae0-ba99-8ab5a1225670", "id": "CVE-2025-69226", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69226 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:c53ce29c-648f-5bd7-8752-ab35309f2d7a", "id": "CVE-2025-69227", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69227 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:601e5ec5-c2b8-5301-a581-e3ba143d7786", "id": "CVE-2025-69228", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69228 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:8db95b6a-5652-531e-b401-8aff5c6433c5", "id": "CVE-2025-69229", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69229 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:833e7240-7a97-55ec-954e-8fd5d3d9dcb3", "id": "CVE-2025-69230", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-69230 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:c73177a2-81d1-522c-9e5f-719f7283eb46", "id": "CVE-2026-34515", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34515 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:d0742b06-14db-5601-8f82-ffb14d7faf06", "id": "CVE-2026-34993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-34993 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:93e3a31a-fd1a-5496-a867-8938aed36431", "id": "CVE-2026-50269", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50269 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:eac12f09-3aae-561f-90db-41e6b5bd9596", "id": "CVE-2026-54273", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54273 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:9a2d11c6-8c32-59bb-a31d-651a3b8eadea", "id": "CVE-2026-54274", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54274 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:a381fa5a-6bde-52b0-a0a0-8ea63eeb752e", "id": "CVE-2026-54275", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54275 does not affect version 3.8.6 of aiohttp. not_affected \u2014 CVE-2026-54275 does not affect aiohttp version 3.8.6.post6+tuxcare. The vulnerability requires the per-request server_hostname parameter feature, which was introduced in version 3.9.0 and does not exist in this version." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:f8a0d60b-07e2-5dd6-aa62-40e1911770e0", "id": "CVE-2026-54276", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54276 does not affect version 3.8.6 of aiohttp. not_affected \u2014 The target repository (aiohttp version 3.8.6.post6+tuxcare) does not contain the DigestAuthMiddleware component that is affected by CVE-2026-54276. This feature was introduced in aiohttp version 3.12, but the target runs version 3.8.6. Without DigestAuthMiddleware, the cross-origin credential disclosure vulnerability cannot manifest." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:78d88f23-415b-563f-a6e5-5cd3ad573903", "id": "CVE-2026-54277", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54277 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:fac2872b-f7a7-569f-935d-ba221d8c970b", "id": "CVE-2026-54278", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54278 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:e356cc6e-2b7a-5a15-a314-d3f372d62ae3", "id": "CVE-2026-54279", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54279 affects version 3.8.6 of aiohttp." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }, { "bom-ref": "urn:uuid:ab3d8f84-4a33-5d03-bbb0-64fd452f7859", "id": "CVE-2026-54280", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54280 does not affect version 3.8.6 of aiohttp. Version 3.8.6 is not vulnerable. Summary: CVE-2026-54280 does not affect aiohttp version 3.8.6.post6+tuxcare. The vulnerability is specific to versions that have the Payload.close() method (introduced in May 2025), which is absent in this version released in October 2023. The target version uses a different architecture where file-based payloads handle cleanup internally via finally blocks in their write() methods." }, "affects": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] } ], "dependencies": [ { "ref": "pkg:pypi/aiohttp@3.8.6" } ] }