diff --git a/aiohttp-3.13.2.tar.gz b/aiohttp-3.13.2.tar.gz
deleted file mode 100644
index 9a7ffef..0000000
--- a/aiohttp-3.13.2.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:40176a52c186aefef6eb3cad2cdd30cd06e3afbe88fe8ab2af9c0b90f228daca
-size 7837994
diff --git a/aiohttp-3.13.3.tar.gz b/aiohttp-3.13.3.tar.gz
new file mode 100644
index 0000000..ff64997
--- /dev/null
+++ b/aiohttp-3.13.3.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a949eee43d3782f2daae4f4a2819b2cb9b0c5d3b7f7a927067cc84dafdbb9f88
+size 7844556
diff --git a/fix-vendoring.patch b/fix-vendoring.patch
index 3075e26..c82135c 100644
--- a/fix-vendoring.patch
+++ b/fix-vendoring.patch
@@ -1,6 +1,8 @@
---- a/Makefile.orig	2025-10-16 13:56:38.297077787 +0200
-+++ b/Makefile	2025-10-16 13:59:43.532929894 +0200
-@@ -47,10 +47,8 @@
+Index: aiohttp-3.13.3/Makefile
+===================================================================
+--- aiohttp-3.13.3.orig/Makefile
++++ aiohttp-3.13.3/Makefile
+@@ -47,10 +47,8 @@ endif
  .SECONDARY: $(call to-hash,$(ALLS))
  
  .update-pip:
@@ -11,7 +13,7 @@
  	@touch .install-cython
  
  aiohttp/_find_header.c: $(call to-hash,aiohttp/hdrs.py ./tools/gen.py)
-@@ -85,7 +83,6 @@
+@@ -85,7 +83,6 @@ cythonize: .install-cython $(PYXS:.pyx=.
  cythonize-nodeps: $(PYXS:.pyx=.c) aiohttp/_websocket/reader_c.c
  
  .install-deps: .install-cython $(PYXS:.pyx=.c) aiohttp/_websocket/reader_c.c $(call to-hash,$(CYS) $(REQS))
@@ -19,7 +21,7 @@
  	@touch .install-deps
  
  .PHONY: lint
-@@ -100,7 +97,6 @@
+@@ -100,7 +97,6 @@ mypy:
  	mypy
  
  .develop: .install-deps generate-llhttp $(call to-hash,$(PYS) $(CYS) $(CS))
@@ -27,7 +29,7 @@
  	@touch .develop
  
  .PHONY: test
-@@ -110,12 +106,12 @@
+@@ -110,12 +106,12 @@ test: .develop
  .PHONY: vtest
  vtest: .develop
  	@pytest -s -v
@@ -42,7 +44,7 @@
  
  
  define run_tests_in_docker
-@@ -151,7 +147,7 @@
+@@ -151,7 +147,7 @@ clean:
  	@rm -rf build
  	@rm -rf cover
  	@make -C docs clean
@@ -51,7 +53,7 @@
  	@rm -f aiohttp/*.so
  	@rm -f aiohttp/*.pyd
  	@rm -f aiohttp/*.html
-@@ -182,7 +178,6 @@
+@@ -182,7 +178,6 @@ doc-spelling:
  
  .PHONY: install
  install: .update-pip
@@ -59,14 +61,16 @@
  
  .PHONY: install-dev
  install-dev: .develop
-@@ -190,4 +185,4 @@
+@@ -190,4 +185,4 @@ install-dev: .develop
  .PHONY: sync-direct-runtime-deps
  sync-direct-runtime-deps:
- 	@echo Updating 'requirements/runtime-deps.in' from 'setup.cfg'... >&2
+ 	@echo Updating 'requirements/runtime-deps.in' from 'pyproject.toml'... >&2
 -	@python requirements/sync-direct-runtime-deps.py
 +	python3 requirements/sync-direct-runtime-deps.py
---- a/tools/gen.py.orig	2025-10-16 14:00:10.257485651 +0200
-+++ a/tools/gen.py	2025-10-16 14:00:18.604659234 +0200
+Index: aiohttp-3.13.3/tools/gen.py
+===================================================================
+--- aiohttp-3.13.3.orig/tools/gen.py
++++ aiohttp-3.13.3/tools/gen.py
 @@ -1,4 +1,4 @@
 -#!/usr/bin/env python
 +#!/usr/bin/python3
diff --git a/python-aiohttp.changes b/python-aiohttp.changes
index 7800fc7..65ad276 100644
--- a/python-aiohttp.changes
+++ b/python-aiohttp.changes
@@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Fri Jan  9 01:40:14 UTC 2026 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Update to 3.13.3:
+  * Security
+    + Brotli and brotlicffi minimum version is now 1.2. Decompression now has
+      a default maximum output size of 32MiB per decompress call
+      (bsc#1256017, CVE-2025-69223, GHSA-6mq8-rvhq-8wgg)
+    + Check for ASCII in header values
+      (bsc#1256018, CVE-2025-69224, GHSA-69f9-5gxw-wvc2)
+    + Forbid non-ASCII decimals in the Range header
+      (bsc#1256019, CVE-2025-69225, GHSA-mqqc-3gqh-h2x8)
+    + Reject static URLs that traverse outside static root
+      (bsc#1256020, CVE-2025-69226, GHSA-54jq-c3m8-4m76)
+    + Raise exceptions when processing a POST body
+      (bsc#1256021, CVE-2025-69227, GHSA-jj3x-wxrx-4x23)
+    + Enforce client_max_size over entire multipart form
+      (bsc#1256022, CVE-2025-69228, GHSA-6jhg-hg63-jvvf)
+    + Pause reading of chunks when it reaches a high water mark
+      (bsc#1256023, CVE-2025-69229, GHSA-g84x-mcqj-x9qq)
+    + Log only once per Cookie header
+      (bsc#1256024, CVE-2025-69230, GHSA-fh55-r93g-j68g)
+  * Bug fixes
+    + Fixed proxy authorization headers not being passed when reusing a
+      connection, which caused 407 (Proxy authentication required) errors
+    + Fixed multipart reading failing when encountering an empty body part
+    + Fixed a case where the parser wasn't raising an exception for a
+      websocket continuation frame when there was no initial frame in context
+  * Miscellaneous internal changes
+    + Optimized web server performance when access logging is disabled by
+      reducing time syscalls
+    + Added regression test for cached logging status
+- Refreshed patch fix-vendoring.patch
+
 -------------------------------------------------------------------
 Fri Nov 14 03:13:57 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>
 
diff --git a/python-aiohttp.spec b/python-aiohttp.spec
index d7c453e..ec8b353 100644
--- a/python-aiohttp.spec
+++ b/python-aiohttp.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package python-aiohttp
 #
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
 %bcond_with docs
 %{?sle15_python_module_pythons}
 Name:           python-aiohttp
-Version:        3.13.2
+Version:        3.13.3
 Release:        0
 Summary:        Asynchronous HTTP client/server framework
 License:        Apache-2.0
@@ -42,7 +42,7 @@ Requires:       python-frozenlist >= 1.1.1
 Requires:       (python-charset-normalizer >= 2.0 with python-charset-normalizer < 4)
 Requires:       (python-multidict >= 4.5 with python-multidict < 7)
 Requires:       (python-yarl >= 1.17.0 with python-yarl < 2)
-Recommends:     python-Brotli
+Recommends:     python-Brotli >= 1.2
 Recommends:     python-aiodns
 Recommends:     python-cChardet
 Suggests:       %{name}-doc
@@ -65,7 +65,7 @@ BuildRequires:  %{python_module multidict >= 4.5 with %python-multidict < 7}
 BuildRequires:  %{python_module yarl >= 1.17.0 with %python-yarl < 2}
 # /SECTION
 # SECTION test requirements
-BuildRequires:  %{python_module Brotli}
+BuildRequires:  %{python_module Brotli >= 1.2}
 BuildRequires:  %{python_module blockbuster}
 BuildRequires:  %{python_module freezegun}
 BuildRequires:  %{python_module gunicorn}