{"id":"PYSEC-2026-1111","summary":"aiosmtpd STARTTLS unencrypted commands injection","details":"### Summary\nServers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a MitM attack.\n\n### References\n* [NO STARTTLS: Similar vulnerabilities discovered by previous researchers.](https://nostarttls.secvuln.info/)","aliases":["CVE-2024-34083","GHSA-wgjv-9j3q-jhg8"],"modified":"2026-07-07T17:46:10.952069511Z","published":"2026-07-07T11:45:42.819390Z","references":[{"type":"WEB","url":"https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34083"},{"type":"WEB","url":"https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda"},{"type":"PACKAGE","url":"https://github.com/aio-libs/aiosmtpd"},{"type":"WEB","url":"https://nostarttls.secvuln.info"},{"type":"PACKAGE","url":"https://pypi.org/project/aiosmtpd"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-wgjv-9j3q-jhg8"}],"affected":[{"package":{"name":"aiosmtpd","ecosystem":"PyPI","purl":"pkg:pypi/aiosmtpd"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.6"}]}],"versions":["1.0","1.0a1","1.0a2","1.0a3","1.0a4","1.0a5","1.0b1","1.0rc1","1.1","1.2","1.2.2","1.2.4","1.3.0","1.3.1","1.3.2","1.4.0","1.4.1","1.4.2","1.4.3","1.4.3rc1","1.4.3rc2","1.4.4","1.4.4.post1","1.4.4.post2","1.4.5"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/aiosmtpd/PYSEC-2026-1111.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}