Book a meeting

› 11:37:57 BSI CVE-2026-3039 Internet Systems Consortium BIND: Mehrere Schwachstellen · › 11:37:22 BSI CVE-2026-35193 Django: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen · › 11:37:22 BSI — Budibase: Mehrere Schwachstellen · › 11:27:22 BSI CVE-2026-45133 Zabbix: Mehrere Schwachstellen · › 11:22:23 BSI CVE-2026-46355 BigBlueButton: Mehrere Schwachstellen · › 11:22:22 BSI CVE-2025-71313 Linux Kernel: Mehrere Schwachstellen · › 11:22:22 BSI — SmarterTools SmarterMail: Mehrere Schwachstellen ermöglichen nicht sp… · › 11:17:22 BSI CVE-2026-50256 X.Org X11 und Xwayland: Mehrere Schwachstellen · › 11:12:23 BSI CVE-2025-14087 Red Hat Enterprise Linux (glib): Mehrere Schwachstellen · › 11:12:22 BSI CVE-2025-26594 X.Org X11: Mehrere Schwachstellen ermöglichen nicht näher spezifizier… · › 11:07:23 BSI CVE-2026-10854 MISP: Mehrere Schwachstellen · › 11:07:22 BSI CVE-2026-10768 Drupal Erweiterungen: Mehrere Schwachstellen ·

← Back to console

Critical CCB · Belgium CVE-2026-48710

Vulnerability in Starlette framework and related frameworks like Fast…

Published 28 May 2026 at 14:32

Description

CVE-2026-48710 , also known as BadHost , is a vulnerability affecting Starlette versions prior to 1.0.1. A lack of input sanitization on host header paths in Starlette leads to bypassing authentication with a single character across a large swath of Python LLM infrastructure including very large and prominent projects such as FastAPI, LiteLLM, vLLM, text generation inference projects, most OpenAI shim proxies, MCP servers, Agent harnesses, eval dashboards, and model-management UIs. In affected versions, the HTTP Host request header was not validated before being used to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header could make request.url.path differ from the path that was actually req