cbcvebase.

Kludex Starlette vulnerabilities

6 known vulnerabilities affecting kludex/starlette.

Total CVEs
6
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2026-48710P3MEDIUMCVSS 6.5PoCfixed in 1.0.12026-05-26
CVE-2026-48710 [MEDIUM] CWE-444 CVE-2026-48710: Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request h Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the p
nvd
CVE-2026-48818P3HIGHCVSS 7.5fixed in 1.1.02026-06-17
CVE-2026-48818 [HIGH] CWE-918 CVE-2026-48818: Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Win Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even thou
cvelistv5nvd
CVE-2025-62727P3HIGHCVSS 7.5v>= 0.39.0, < 0.49.12025-10-28
CVE-2025-62727 [HIGH] CWE-407 CVE-2025-62727: Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0 Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints se
nvd
CVE-2026-54283P3HIGHCVSS 7.5v>= 0.4.1, < 1.3.12026-06-22
CVE-2026-54283 [HIGH] CWE-770 CVE-2026-54283: Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts ma Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded
nvd
CVE-2026-48817P4MEDIUMCVSS 5.3fixed in 1.1.02026-06-17
CVE-2026-48817 [MEDIUM] CWE-470 CVE-2026-48817: Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a r Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an HTTPEndpoint subclass is registered through Route(...) without
cvelistv5nvd
CVE-2026-54282P4MEDIUMCVSS 5.3fixed in 1.3.02026-06-22
CVE-2026-54282 [MEDIUM] CWE-706 CVE-2026-54282: Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not vali Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-p
nvd
Kludex Starlette vulnerabilities | cvebase