7 matches found
CVE-2026-48710
Starlette (Python ASGI framework) contains a Host header validation issue in versions before 1.0.1. The HTTP Host header was not validated when reconstructing request.url, while routing relies on the raw path and request.url, allowing a malformed Host header to make request.url.path differ from t...
CVE-2023-29159
CVE-2023-29159 covers a directory traversal vulnerability in Starlette. Affected are Starlette versions 0.13.5 and later and prior to 0.27.0, where improper validation of requests to StaticFiles can allow a remote, unauthenticated attacker to view arbitrary files in a Starlette-based web service....
CVE-2026-48818
CVE-2026-48818 concerns Starlette’s StaticFiles on Windows. In versions up to 1.0.1, when handling UNC paths (for example, \attacker.com\share), os.path.realpath can initiate an outbound SMB connection before the path is rejected, triggering SSRF and exposing the service account’s NTLMv2 credenti...
CVE-2026-54283
Starlette (Python-starlette) from 0.4.1 through 1.3.1 is affected by CVE-2026-54283, where request.form() fails to apply max_fields/max_part_size for application/x-www-form-urlencoded, allowing an unauthenticated attacker to send a URL-encoded body with unbounded fields or field size. This result...
CVE-2023-30798
CVE-2023-30798 affects Starlette’s multipart handling via the python-multipart MultipartParser prior to 0.25.0. An unauthenticated remote attacker can exploit unlimited form fields/parts to trigger high memory usage and a denial-of-service of the HTTP service. Public documents confirm Encode Star...
CVE-2026-48817
CVE-2026-48817 affects Starlette 1.0.1 and earlier, where HTTPEndpoint dispatch selects a handler by lowercased method name via getattr without validating against a known HTTP verb. If a Route is used without explicitly listing methods=, every method can reach the endpoint, and non-standard HTTP ...
CVE-2026-54282
The CVE concerns Starlette prior to 1.3.0: HTTP request path is not validated when reconstructing request.url, allowing attacker-controlled hostname by re-parsing a non-absolute path (e.g., @google.com). The issue is fixed in 1.3.0. Remediate by upgrading to 1.3.0+; no exploitation details are pr...