Lucene search
K
EncodeStarlette

7 matches found

CVE
CVE
•added 2026/05/26 9:54 p.m.•224 views

CVE-2026-48710

Starlette (Python ASGI framework) contains a Host header validation issue in versions before 1.0.1. The HTTP Host header was not validated when reconstructing request.url, while routing relies on the raw path and request.url, allowing a malformed Host header to make request.url.path differ from t...

6.5CVSS5.8AI score0.01438EPSS
Web
CVE
CVE
•added 2023/06/01 12:0 a.m.•178 views

CVE-2023-29159

CVE-2023-29159 covers a directory traversal vulnerability in Starlette. Affected are Starlette versions 0.13.5 and later and prior to 0.27.0, where improper validation of requests to StaticFiles can allow a remote, unauthenticated attacker to view arbitrary files in a Starlette-based web service....

7.5CVSS7.3AI score0.02032EPSS
CVE
CVE
•added 2026/06/17 5:50 p.m.•118 views

CVE-2026-48818

CVE-2026-48818 concerns Starlette’s StaticFiles on Windows. In versions up to 1.0.1, when handling UNC paths (for example, \attacker.com\share), os.path.realpath can initiate an outbound SMB connection before the path is rejected, triggering SSRF and exposing the service account’s NTLMv2 credenti...

7.5CVSS5.3AI score0.00368EPSS
CVE
CVE
•added 2026/06/22 4:46 p.m.•116 views

CVE-2026-54283

Starlette (Python-starlette) from 0.4.1 through 1.3.1 is affected by CVE-2026-54283, where request.form() fails to apply max_fields/max_part_size for application/x-www-form-urlencoded, allowing an unauthenticated attacker to send a URL-encoded body with unbounded fields or field size. This result...

7.5CVSS5.9AI score0.00275EPSS
CVE
CVE
•added 2023/04/21 3:27 p.m.•75 views

CVE-2023-30798

CVE-2023-30798 affects Starlette’s multipart handling via the python-multipart MultipartParser prior to 0.25.0. An unauthenticated remote attacker can exploit unlimited form fields/parts to trigger high memory usage and a denial-of-service of the HTTP service. Public documents confirm Encode Star...

7.5CVSS7.4AI score0.01288EPSS
CVE
CVE
•added 2026/06/17 7:48 p.m.•75 views

CVE-2026-48817

CVE-2026-48817 affects Starlette 1.0.1 and earlier, where HTTPEndpoint dispatch selects a handler by lowercased method name via getattr without validating against a known HTTP verb. If a Route is used without explicitly listing methods=, every method can reach the endpoint, and non-standard HTTP ...

5.3CVSS5.2AI score0.00213EPSS
CVE
CVE
•added 2026/06/22 4:45 p.m.•65 views

CVE-2026-54282

The CVE concerns Starlette prior to 1.3.0: HTTP request path is not validated when reconstructing request.url, allowing attacker-controlled hostname by re-parsing a non-absolute path (e.g., @google.com). The issue is fixed in 1.3.0. Remediate by upgrading to 1.3.0+; no exploitation details are pr...

5.3CVSS5.9AI score0.00187EPSS