Ctrl + K
/ news / CVE
CVEPublished 2026-05-26Modified 2026-06-031 article on news6 live referencesNVD data

CVE-2026-48710Encode · Starlette

Vulnerability data via NVD (ingested)

CVSS v3.1
6.5
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS percentile
Weaknesses (CWE)
CWE-444Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Description

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.

Timeline
Published 2026-05-26
Modified 2026-06-03

External references

NVDMITREExploit-DBSploitustrickest/cveVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts
vuln:CVE-2026-48710
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product
product:"Encode Starlette"
All exposed Encode Starlette instances — cross-reference with the CVE's affected-version range.
Shodan · banner/body mention
http.html:"Starlette"
HTTP body or banner mentions "Starlette" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2026-48710
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-48710
Censys host search filtered to this CVE id.
grep.app
CVE-2026-48710
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-48710
GitHub code search for direct mentions.
Google dork
"CVE-2026-48710" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (8)

CVE-2026-487108 repos
nomi-sec/PoC-in-GitHubunknown
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
★ 7,809·updated 2d ago
cclank/Hermes-Wikiunknown
Hermes agent + LLM Wiki + 源代码 完成 Hermes agent wiki
★ 528·updated 2d ago
DarkFunct/TK-CVE-RepoPython
TK-CVE-Repo
★ 49·updated 2d ago
lateos-ai/npm-scanJavaScript
Modern supply chain security for the npm ecosystem. Static + behavioral analysis that catches what npm audit, Snyk, and Socket miss — obfuscated payloads, credential stealers, cond…
★ 14·updated 2d ago
mcp-security-project/mcp-cve-projectunknown
The Project shares all information on MCP related CVE's published
★ 12·updated 1w ago
holmanholdings/lionguardPython
Cathedral-Grade Security for AI Agents. Attack vectors updated daily. Local-first, zero API cost. MIT licensed.
★ 5·updated 6d ago
eris-ths/supply-chain-guardShell
Detect, assess, and respond to supply chain attacks across npm/yarn and Python (pip/poetry/uv). Claude Code skill + standalone scripts. Built during axios RAT (2026-03-31) and Star…
★ 3·updated 1w ago
agentveil-protocol/lurkrPython
Pre-deploy static scanner for risky AI agent capabilities. Local-only. No telemetry. No network calls during scan. Redacted output. MIT.
★ 3·updated 1w ago
Articles on news mentioning CVE-2026-48710