cbcvebase.
CVE-2026-54282
published 2026-06-22

CVE-2026-54282: Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because…

PriorityP431medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.19%
8.5th percentile
Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.

Affected

8 ranges
VendorProductVersion rangeFixed in
encodestarlette< 1.3.01.3.0
encodestarlette>= 0 < 1.3.01.3.0
exploit-intelligence-tech-previewvulnerability-analysis-rhel9
kludexstarlette< 1.3.01.3.0
mtamta-solution-server-rhel9
openshift-lightspeedlightspeed-agentic-sandbox-rhel9
openshift-lightspeedlightspeed-ocp-rag-rhel9
openshift-lightspeedlightspeed-service-api-rhel9

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.