What is the CVSS score of CVE-2026-48710?

CVE-2026-48710 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-48710?

Yes, a patch is available for CVE-2026-48710. Update the affected software to the latest version immediately.

Starlette CVE-2026-48710

MEDIUM

HTTP Request/Response Smuggling (CWE-444)

2026-05-26 security-advisories@github.com

Authentication Bypass Request Smuggling

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 26, 2026 - 22:31 vuln.today

Analysis Generated

May 26, 2026 - 22:31 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

13 pypi packages depend on starlette (10 direct, 3 indirect)

Ecosystem-wide dependent count for version 1.0.1.

DescriptionNVD

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP Host request header was not validated before being used to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header could make request.url.path differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on request.url (rather than the raw scope path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the Host header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing request.url and falls back to scope["server"] for malformed values.

AnalysisAI

Host header injection in Starlette prior to version 1.0.1 allows unauthenticated remote attackers to cause request.url.path to differ from the actual ASGI scope path used for routing, enabling bypass of middleware and endpoint security controls that rely on request.url rather than the raw scope. Any application enforcing path-based ACLs, authentication gates, or WAF-style filters through request.url is affected, as a crafted Host header can make the URL appear to address a permitted path while the real route differs. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-48710 vulnerability details – vuln.today

Back

Starlette CVE-2026-48710

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code