CVE-2026-25480

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remo...

CVE-2026-25479

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, in litestar.middleware.allowedhosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning e.g., . matches any character. This enables a bypass...

CVE-2026-25478

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, CORSConfig.allowedoriginsregex is constructed using a regex built from configured allowlist values and used with fullmatch for validation. Because metacharacters are not escaped, a malicious origin can match...

CVE-2026-25480

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remo...

CVE-2026-25478

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, CORSConfig.allowedoriginsregex is constructed using a regex built from configured allowlist values and used with fullmatch for validation. Because metacharacters are not escaped, a malicious origin can match...

CVE-2026-25479

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, in litestar.middleware.allowedhosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning e.g., . matches any character. This enables a bypass...

3lc (>=2.19.0 <=2.21.3), litestar-htmx (>=0.1.0 <=0.3.0) +2 more potentially affected by CVE-2026-25478 via litestar (>=2.0.0b2 <=2.15.2)

litestar PYPI version =2.0.0b2, =2.19.0, =0.1.0, =0.2.0, =0.3.14, =0.3.35 Source cves: CVE-2026-25478 Source advisory: SNYK:PYTHON-LITESTAR-15253000...

Permissive Cross-domain Policy with Untrusted Domains

Overview litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via the CORSConfig.allowedoriginsregex, which uses a regex built from configured allowli...

3lc (>=2.19.0 <=2.21.3), litestar-htmx (>=0.1.0 <=0.3.0) +2 more potentially affected by CVE-2026-25480 via litestar (>=2.0.0b2 <=2.15.2)

litestar PYPI version =2.0.0b2, =2.19.0, =0.1.0, =0.2.0, =0.3.14, =0.3.35 Source cves: CVE-2026-25480 Source advisory: SNYK:PYTHON-LITESTAR-15253019...

Improper Handling of Unicode Encoding

Overview litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework Affected versions of this package are vulnerable to Improper Handling of Unicode Encoding via the safefilename in the stores/file.py‎. An attacker can cause cached responses for one URL to be...

Incorrect Regular Expression

Overview litestar is a Litestar - A production-ready, highly performant, extensible ASGI API Framework Affected versions of this package are vulnerable to Incorrect Regular Expression via the allowedhosts host validation. An attacker can gain unauthorized access by supplying a specially crafted...

3lc (>=2.19.0 <=2.21.3), litestar-htmx (>=0.1.0 <=0.3.0) +2 more potentially affected by CVE-2026-25479 via litestar (>=2.0.0b2 <=2.15.2)

litestar PYPI version =2.0.0b2, =2.19.0, =0.1.0, =0.2.0, =0.3.14, =0.3.35 Source cves: CVE-2026-25479 Source advisory: SNYK:PYTHON-LITESTAR-15253006...

CVE-2026-25480

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remo...

CVE-2026-25480 FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD)

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remo...

CVE-2026-25480 FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD)

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remo...

CVE-2026-25479 Litestar has an AllowedHosts validation bypass due to unescaped regex metacharacters in configured host patterns

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, in litestar.middleware.allowedhosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning e.g., . matches any character. This enables a bypass...

CVE-2026-25479 Litestar has an AllowedHosts validation bypass due to unescaped regex metacharacters in configured host patterns

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, in litestar.middleware.allowedhosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning e.g., . matches any character. This enables a bypass...

CVE-2026-25479

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, in litestar.middleware.allowedhosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning e.g., . matches any character. This enables a bypass...

CVE-2026-25479 Litestar has an AllowedHosts validation bypass due to unescaped regex metacharacters in configured host patterns

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, in litestar.middleware.allowedhosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning e.g., . matches any character. This enables a bypass...

CVE-2026-25479

Litestar is an ASGI framework. Prior to 2.20.0, litestar.middleware.allowed_hosts compiles allowlist entries into regex patterns in a way that lets regex metacharacters retain special meaning (e.g., . matches any character). This can enable a bypass where a host that matches the regex is not the ...