CVE-2026-48746

vLLM is an inference and serving engine for large language models LLMs. From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing t...

CVE-2026-48746

vLLM OpenAI auth bypass (CVE-2026-48746) affects vLLM versions 0.3.0 through 0.21.0. Root cause: ASGI servers and Starlette trust the Host header from the request scope, enabling manipulation of the reconstructed URL path and bypassing the OpenAI API AuthenticationMiddleware for routes beginning ...

UBUNTU-CVE-2026-54283

Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form accepts maxfields and maxpartsize to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An...

vLLM: OpenAI auth bypass

Summary A vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware, which was discovered during @x41sec's source code audit. It allows to use the API without providing the configured VLLMAPIKEY or...

GHSA-94F4-HR76-P5J6 vLLM: OpenAI auth bypass

Summary A vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware, which was discovered during @x41sec's source code audit. It allows to use the API without providing the configured VLLMAPIKEY or...

CVE-2026-44546

The vulnerability (CVE-2026-44546) affects the Daphne web server prior to 4.2.2. It stems from a parser differential between Twisted and Autobahn: Twisted does not treat certain bytes (0x0b, 0x0c, 0x1c, 0x1d, 0x1e, 0x85) as header separators, while Autobahn decodes header values to str and calls ...

CVE-2026-44546 Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

CVE-2026-44546

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

Django daphne 输入验证错误漏洞

Daphne is an open-source ASGI protocol server developed by Django, which supports HTTP, HTTP2, and WebSocket. Versions of Daphne prior to 4.2.2 contained security vulnerabilities. These vulnerabilities were due to differences in the parser, which could allow attackers to inject additional headers...

Django daphne 资源管理错误漏洞

Daphne is an open-source ASGI server developed by Django that supports HTTP, HTTP2, and WebSocket protocols. Versions of Daphne prior to 4.2.2 contained security vulnerabilities. These vulnerabilities stemmed from the lack of passing the maximum frame size or the payload size of messages, allowin...

Fedora 44 : python-django6 (2026-de6e24ae07)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-de6e24ae07 advisory. - Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass - Fixes CVE-2026-35192: Session...

Fedora 43 : python-django5 (2026-4d1404fc5d)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-4d1404fc5d advisory. - Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass - Fixes CVE-2026-35192: Session...

Fedora 42 : python-django5 (2026-b9548393aa)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-b9548393aa advisory. - Fixes CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass - Fixes CVE-2026-35192: Session...

CVE-2026-42544 Granian: Unauthenticated DoS via WebSocket subprotocol header panic

Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash happens in Granian's WebSocket scope construction...

openSUSE 16 Security Update : python-Django (openSUSE-SU-2026:20704-1)

The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20704-1 advisory. Changes in python-Django: - CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass bsc1264153 -...

OESA-2026-2218 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. MultiPartParser allows remote attackers to degrade performance by submitting multipart uploads wi...

Python Library Django 5.2.x < 5.2.14 / 6.0.x < 6.0.5 Multiple Vulnerabilities

The detected version of the Django Python package is 5.2.x prior to 5.2.14 or 6.0.x prior to 6.0.5. It is, therefore, affected by multiple vulnerabilities, including: - ASGI requests with a missing or understated Content-Length header can bypass the FILEUPLOADMAXMEMORYSIZE limit, potentially...

Django: Django: Denial of Service via crafted request with duplicate headers

A flaw was found in Django. A remote attacker can exploit this vulnerability by sending a crafted request containing multiple duplicate headers to the ASGIRequest component. This can lead to a potential Denial of Service DoS, making the affected system unavailable to legitimate users...

SUSE-SU-2026:1740-1 Security update for python-Django

This update for python-Django fixes the following issues - CVE-2026-3902: headers spoofing by exploiting an ambiguous mapping of two header variants in ASGIRequest requests bsc1261729. - CVE-2026-4277: permissions on inline model instances were not validated on submission of forged POST data in...

OPENSUSE-SU-2026:20704-1 Security update for python-Django

This update for python-Django fixes the following issues: Changes in python-Django: - CVE-2026-5766: Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass bsc1264153 - CVE-2026-35192: Session fixation via public cached pages and SESSIONSAVEEVERYREQUEST bsc1264154...