PatchSiren

Kludex CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Kludex CVE published 2026-06-22

CVE-2026-53539

CVE-2026-53539 is a denial of service vulnerability in Python-Multipart, a streaming multipart parser for Python. Prior to version 0.0.30, the parser is vulnerable to a denial of service attack when parsing application/x-www-form-urlencoded bodies. An attacker can submit a small crafted body and cause the parser to spend seconds of CPU per request, potentially exhausting worker processes. The vulnerabilit [truncated]

MEDIUM Kludex CVE published 2026-06-17

CVE-2026-48817

CVE-2026-48817 is a medium-severity vulnerability in Starlette, a lightweight ASGI framework. The issue allows attackers to invoke internal helper methods not intended as HTTP handlers due to unrestricted HTTP method handling. This occurs when an HTTPEndpoint subclass is registered without explicitly setting the 'methods' parameter, enabling non-standard HTTP methods to reach the endpoint. Affected applic [truncated]

HIGH Kludex CVE published 2026-06-17

CVE-2026-48818

CVE-2026-48818 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the StaticFiles feature of Starlette, a lightweight ASGI framework/toolkit, on Windows systems. The vulnerability, with a CVSS score of 7.5, allows an attacker to initiate an outbound SMB connection by exploiting the `os.path.realpath` function, potentially exposing the service account's NTLMv2 credentials for offline cr [truncated]

MEDIUM Kludex CVE published 2026-05-26

CVE-2026-48710

A vulnerability in Starlette (prior to version 1.0.1) allows security bypasses by exploiting malformed HTTP Host headers. The framework failed to validate the Host header before using it to reconstruct `request.url`, creating a mismatch between the routing path and the URL path exposed to middleware and endpoints. Security controls relying on `request.url` rather than the raw ASGI scope path could be circ [truncated]

HIGH Kludex CVE published 2026-05-13

CVE-2026-42561

CVE-2026-42561 is a denial of service vulnerability in the Python-Multipart library. The vulnerability exists in versions prior to 0.0.27 and is caused by a lack of limits on the number of part headers or the size of an individual part header when parsing multipart/form-data. An attacker could exploit this vulnerability by sending a request with many repeated headers or a single large header value, causin [truncated]

HIGH Kludex CVE published 2026-01-27

CVE-2026-24486

CVE-2026-24486 is a Path Traversal vulnerability in Python-Multipart, a streaming multipart parser for Python. Prior to version 0.0.22, when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`, an attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch. As a worka [truncated]