MEDIUM
Kludex
CVE published 2026-05-26
CVE-2026-48710
A vulnerability in Starlette (prior to version 1.0.1) allows security bypasses by exploiting malformed HTTP Host headers. The framework failed to validate the Host header before using it to reconstruct `request.url`, creating a mismatch between the routing path and the URL path exposed to middleware and endpoints. Security controls relying on `request.url` rather than the raw ASGI scope path could be circ [truncated]