DEBIAN-CVE-2026-48710

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-48710

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48710.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-48710

Upstream

CVE-2026-48710

Published

2026-05-26T22:16:44.020Z

Modified

2026-05-27T23:00:26.935214470Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP Host request header was not validated before being used to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header could make request.url.path differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on request.url (rather than the raw scope path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the Host header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing request.url and falls back to scope["server"] for malformed values.

References

https://security-tracker.debian.org/tracker/CVE-2026-48710

Affected packages

Debian:11 / starlette

Package

Name: starlette
Purl: pkg:deb/debian/starlette?arch=source&distro=bullseye

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.14.1-1

0.16.0-1

0.18.0-1

0.20.4-1

0.23.1-1

0.24.0-1

0.25.0-1

0.25.0-2

0.26.1-1

0.28.0-1

0.30.0-1

0.31.1-1

0.37.2-1

0.38.2-1

0.39.1-1

0.39.2-1

0.41.0-1

0.41.2-1

0.41.3-1

0.41.3-2

0.46.1-1

0.46.1-2

0.46.1-3

0.50.0-1

1.*

1.0.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48710.json"

Debian:12 / starlette

Package

Name: starlette
Purl: pkg:deb/debian/starlette?arch=source&distro=bookworm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.26.1-1+deb12u1

Affected versions

0.*

0.26.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48710.json"

Debian:13 / starlette

Package

Name: starlette
Purl: pkg:deb/debian/starlette?arch=source&distro=trixie

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.46.1-3+deb13u2

Affected versions

0.*

0.46.1-3

0.46.1-3+deb13u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48710.json"

Debian:14 / starlette

Package

Name: starlette
Purl: pkg:deb/debian/starlette?arch=source&distro=forky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.46.1-3

0.50.0-1

1.*

1.0.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-48710.json"