Lucene search
K

4 matches found

CVE
CVE
added 2026/06/17 5:50 p.m.116 views

CVE-2026-48818

CVE-2026-48818 concerns Starlette’s StaticFiles on Windows. In versions up to 1.0.1, when handling UNC paths (for example, \attacker.com\share), os.path.realpath can initiate an outbound SMB connection before the path is rejected, triggering SSRF and exposing the service account’s NTLMv2 credenti...

7.5CVSS5.3AI score0.00368EPSS
CVE
CVE
added 2023/04/21 3:27 p.m.74 views

CVE-2023-30798

CVE-2023-30798 affects Starlette’s multipart handling via the python-multipart MultipartParser prior to 0.25.0. An unauthenticated remote attacker can exploit unlimited form fields/parts to trigger high memory usage and a denial-of-service of the HTTP service. Public documents confirm Encode Star...

7.5CVSS7.4AI score0.01288EPSS
CVE
CVE
added 2026/06/17 7:48 p.m.72 views

CVE-2026-48817

CVE-2026-48817 affects Starlette 1.0.1 and earlier, where HTTPEndpoint dispatch selects a handler by lowercased method name via getattr without validating against a known HTTP verb. If a Route is used without explicitly listing methods=, every method can reach the endpoint, and non-standard HTTP ...

5.3CVSS5.2AI score0.00213EPSS
CVE
CVE
added 2026/06/22 4:45 p.m.65 views

CVE-2026-54282

The CVE concerns Starlette prior to 1.3.0: HTTP request path is not validated when reconstructing request.url, allowing attacker-controlled hostname by re-parsing a non-absolute path (e.g., @google.com). The issue is fixed in 1.3.0. Remediate by upgrading to 1.3.0+; no exploitation details are pr...

5.3CVSS5.9AI score0.00187EPSS