CVE-2026-54282
CVE-2026-54282 is a low-severity vulnerability in Encode Starlette with a CVSS 3.x base score of 3.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-706.
Key facts
- Severity: Low (CVSS 3.x base score 3.7)
- EPSS exploit prediction: 0% (8th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-38318
- Weakness: CWE-706
- Affected product: Encode Starlette
- Published:
- Last modified:
Description
Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.
Frequently asked questions
- What is CVE-2026-54282?
- Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.
- How severe is CVE-2026-54282?
- CVE-2026-54282 has a CVSS 3.x base score of 3.7, rated low severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2026-54282 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (8th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-54282?
- CVE-2026-54282 affects Encode Starlette. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-54282?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-54282 have an EU (EUVD) identifier?
- Yes. CVE-2026-54282 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-38318.
- When was CVE-2026-54282 published?
- CVE-2026-54282 was published on 2026-06-22 and last updated on 2026-06-26.
References
Affected products (1)
- cpe:2.3:a:encode:starlette:*:*:*:*:*:python:*:*
More vulnerabilities in Encode Starlette
- CVE-2026-54283 — High (CVSS 7.5): Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and…
- CVE-2026-48818 — High (CVSS 7.5): Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable…
- CVE-2023-29159 — High (CVSS 7.5): Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote…
- CVE-2023-30798 — High (CVSS 7.5): There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and…
- CVE-2026-48710 — Medium (CVSS 6.5): Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not…
- CVE-2026-48817 — Medium (CVSS 5.3): Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request,…
All CVEs affecting Encode Starlette →
Other CWE-706 vulnerabilities
- CVE-2025-65474 — Critical (CVSS 9.8): An arbitrary file rename vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows…
- CVE-2024-35198 — Critical (CVSS 9.8): TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. TorchServe 's check…
- CVE-2023-31814 — Critical (CVSS 9.8): D-Link DIR-300 firmware <=REVA1.06 and <=REVB2.06 is vulnerable to File inclusion via /model/__lang_msg.php.
- CVE-2022-30258 — Critical (CVSS 9.8): An issue was discovered in Technitium DNS Server through 8.0.2 that allows variant V2 of unintended domain name…
- CVE-2022-30257 — Critical (CVSS 9.8): An issue was discovered in Technitium DNS Server through 8.0.2 that allows variant V1 of unintended domain name…
- CVE-2021-40539 — Critical (CVSS 9.8): Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with…