Vulnerable Library - starlette-0.49.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-54283
Vulnerable Library - starlette-0.49.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl
Dependency Hierarchy:
- ❌ starlette-0.49.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.
Publish Date: 2026-06-22
URL: CVE-2026-54283
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-82w8-qh3p-5jfq
Release Date: 2026-06-15
Fix Resolution: 1.3.1
Step up your Open Source Security Game with Mend here
CVE-2026-48818
Vulnerable Library - starlette-0.49.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl
Dependency Hierarchy:
- ❌ starlette-0.49.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-06-17
URL: CVE-2026-48818
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/encode/starlette.git - 1.1.0,starlette - 1.1.0
Step up your Open Source Security Game with Mend here
CVE-2026-48710
Vulnerable Library - starlette-0.49.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl
Dependency Hierarchy:
- ❌ starlette-0.49.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP "Host" request header was not validated before being used to reconstruct "request.url". Because the routing algorithm relies on the raw HTTP path while "request.url" is rebuilt from the "Host" header, a malformed header could make "request.url.path" differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on "request.url" (rather than the raw "scope" path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the "Host" header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing "request.url" and falls back to "scope["server"]" for malformed values.
Publish Date: 2026-05-26
URL: CVE-2026-48710
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-86qp-5c8j-p5mr
Release Date: 2026-05-26
Fix Resolution: 1.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-48817
Vulnerable Library - starlette-0.49.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl
Dependency Hierarchy:
- ❌ starlette-0.49.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an HTTPEndpoint subclass is registered through Route(...) without an explicit methods= argument, the route does not constrain the method and every method reaches the endpoint. If a non-standard HTTP method whose lowercased name matches an attribute on the endpoint subclass reaches the endpoint, that attribute is invoked as if it were a request handler. An attacker can use this to reach methods that were never meant to be HTTP handlers, such as internal helpers, without the authorization checks applied by the intended public handler. An application (including Starlette-based frameworks like FastAPI) is affected if it registers an HTTPEndpoint subclass via Route(...) without explicitly setting methods=, and that subclass includes extra methods named like non-standard HTTP verbs that take one request argument and return a response. This issue has been fixed in version 1.1.0.
Publish Date: 2026-06-17
URL: CVE-2026-48817
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-x746-7m8f-x49c
Release Date: 2026-06-15
Fix Resolution: 1.1.0
Step up your Open Source Security Game with Mend here
CVE-2026-54282
Vulnerable Library - starlette-0.49.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl
Dependency Hierarchy:
- ❌ starlette-0.49.3-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.
Publish Date: 2026-06-22
URL: CVE-2026-54282
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-jp82-jpqv-5vv3
Release Date: 2026-06-15
Fix Resolution: 1.3.0
Step up your Open Source Security Game with Mend here
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - starlette-0.49.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an arbitrarily large number of fields or an arbitrarily large field, even when the application configured limits it believed would apply. This vulnerability is fixed in 1.3.1.
Publish Date: 2026-06-22
URL: CVE-2026-54283
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-82w8-qh3p-5jfq
Release Date: 2026-06-15
Fix Resolution: 1.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.49.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-06-17
URL: CVE-2026-48818
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-06-15
Fix Resolution: https://github.com/encode/starlette.git - 1.1.0,starlette - 1.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.49.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP "Host" request header was not validated before being used to reconstruct "request.url". Because the routing algorithm relies on the raw HTTP path while "request.url" is rebuilt from the "Host" header, a malformed header could make "request.url.path" differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on "request.url" (rather than the raw "scope" path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the "Host" header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing "request.url" and falls back to "scope["server"]" for malformed values.
Publish Date: 2026-05-26
URL: CVE-2026-48710
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-86qp-5c8j-p5mr
Release Date: 2026-05-26
Fix Resolution: 1.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.49.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an HTTPEndpoint subclass is registered through Route(...) without an explicit methods= argument, the route does not constrain the method and every method reaches the endpoint. If a non-standard HTTP method whose lowercased name matches an attribute on the endpoint subclass reaches the endpoint, that attribute is invoked as if it were a request handler. An attacker can use this to reach methods that were never meant to be HTTP handlers, such as internal helpers, without the authorization checks applied by the intended public handler. An application (including Starlette-based frameworks like FastAPI) is affected if it registers an HTTPEndpoint subclass via Route(...) without explicitly setting methods=, and that subclass includes extra methods named like non-standard HTTP verbs that take one request argument and return a response. This issue has been fixed in version 1.1.0.
Publish Date: 2026-06-17
URL: CVE-2026-48817
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-x746-7m8f-x49c
Release Date: 2026-06-15
Fix Resolution: 1.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - starlette-0.49.3-py3-none-any.whl
The little ASGI library that shines.
Library home page: https://files.pythonhosted.org/packages/a3/e0/021c772d6a662f43b63044ab481dc6ac7592447605b5b35a957785363122/starlette-0.49.3-py3-none-any.whl
Path to dependency file: /ai/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/14/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/17/starlette-0.49.3-py3-none-any.whl,/tmp/ws-ua_20260331025725_MIUFBE/python_UVEQHS/20260331025831/9/starlette-0.49.3-py3-none-any.whl
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.
Publish Date: 2026-06-22
URL: CVE-2026-54282
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jp82-jpqv-5vv3
Release Date: 2026-06-15
Fix Resolution: 1.3.0
Step up your Open Source Security Game with Mend here