Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/starlette@1.0.0rc1

Type pypi

Namespace

Name starlette

Version 1.0.0rc1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.0.1

Latest_non_vulnerable_version 1.0.1

Affected_by_vulnerabilities

url VCID-2c5q-buqw-u7ex

vulnerability_id VCID-2c5q-buqw-u7ex

summary

BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks
Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actual request path. This inconsistent interpretation of HTTP requests may lead to issues such as authentication bypass when the authentication depends on the reconstructed URL’s path.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-48710.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-48710.json

reference_url

https://badhost.org

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://badhost.org

reference_url

https://github.com/Kludex/starlette

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/Kludex/starlette

reference_url

https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6

reference_url

https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-48710

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-48710

reference_url

https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette

reference_url	https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette/
reference_id
reference_type
scores
url	https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette/

reference_url

https://www.secwest.net/starlette

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.secwest.net/starlette

reference_url

https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette

reference_url	https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette/
reference_id
reference_type
scores
url	https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette/

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137375
reference_id	1137375
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137375

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2481742
reference_id	2481742
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2481742

reference_url	https://access.redhat.com/errata/RHSA-2026:22992
reference_id	RHSA-2026:22992
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22992

reference_url	https://access.redhat.com/errata/RHSA-2026:22993
reference_id	RHSA-2026:22993
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22993

fixed_packages

url	pkg:pypi/starlette@1.0.1
purl	pkg:pypi/starlette@1.0.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/starlette@1.0.1

aliases CVE-2026-48710, GHSA-86qp-5c8j-p5mr, PYSEC-2026-161, X41-2026-002

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2c5q-buqw-u7ex

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/starlette@1.0.0rc1

Package Instance