CVE-2026-42545

Source
https://cve.org/CVERecord?id=CVE-2026-42545
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42545.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42545
Aliases
Downstream
Related
Published
2026-05-12T21:51:47.473Z
Modified
2026-07-08T08:13:25.107376325Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Granian: DoS via WSGI response header panic
Details

Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a handled error. This vulnerability is fixed in 2.7.4.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42545.json",
    "cwe_ids": [
        "CWE-248",
        "CWE-755"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/emmett-framework/granian

Affected ranges

Type
GIT
Repo
https://github.com/emmett-framework/granian
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0.2.0"
        },
        {
            "fixed": "2.7.4"
        }
    ]
}

Affected versions

v0.*
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.3.0
v0.3.1
v0.3.2
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.1.0
v1.1.1
v1.1.2
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.3.1
v1.3.2
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v2.*
v2.0.0
v2.0.1
v2.1.0
v2.1.1
v2.1.2
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.4.0
v2.4.1
v2.4.2
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.6.0
v2.6.1
v2.7.0
v2.7.1
v2.7.2
v2.7.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42545.json"