CVE-2026-54283
- EPSS 0.28%
- Veröffentlicht 22.06.2026 16:46:16
- Zuletzt bearbeitet 26.06.2026 19:16:55
Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently igno...
CVE-2026-54282
- EPSS 0.19%
- Veröffentlicht 22.06.2026 16:45:01
- Zuletzt bearbeitet 26.06.2026 19:18:47
Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result,...
CVE-2026-48817
- EPSS 0.21%
- Veröffentlicht 17.06.2026 19:48:03
- Zuletzt bearbeitet 26.06.2026 19:18:13
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup...
CVE-2026-48818
- EPSS 0.37%
- Veröffentlicht 17.06.2026 17:50:12
- Zuletzt bearbeitet 30.06.2026 03:20:27
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path...
CVE-2026-48710
- EPSS 1.44%
- Veröffentlicht 26.05.2026 22:16:44
- Zuletzt bearbeitet 02.07.2026 12:17:29
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` ...
CVE-2025-54121
- EPSS 0.53%
- Veröffentlicht 21.07.2025 20:15:41
- Zuletzt bearbeitet 15.04.2026 00:35:42
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max...
CVE-2025-0182
- EPSS 0.66%
- Veröffentlicht 20.03.2025 10:10:00
- Zuletzt bearbeitet 15.04.2026 00:35:42
A vulnerability in danswer-ai/danswer version 0.9.0 allows for denial of service through memory exhaustion. The issue arises from the use of a vulnerable version of the starlette package (<=0.49) via fastapi, which was patched in fastapi version 0.11...
CVE-2024-47874
- EPSS 0.66%
- Veröffentlicht 15.10.2024 16:15:05
- Zuletzt bearbeitet 15.04.2026 00:35:42
Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This ...
CVE-2023-29159
- EPSS 2.03%
- Veröffentlicht 01.06.2023 02:15:09
- Zuletzt bearbeitet 09.01.2025 20:15:33
Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette.
CVE-2023-30798
- EPSS 1.29%
- Veröffentlicht 21.04.2023 16:15:07
- Zuletzt bearbeitet 21.11.2024 08:00:55
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of servic...