bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8 0x71faaDcAF2538e7346885F772FBAcb88740059A8 49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP 2 analyses tagged starlette, sorted newest first.
CISA added BerriAI LiteLLM CVE-2026-42271 to its KEV catalog on 2026-06-08 due to active exploitation. This high-severity command injection vulnerability in MCP server preview endpoints allows authenticated (or unauthenticated, when chained with CVE-2026-48710) users to run arbitrary shell commands on the host proxy.
Starlette CVE-2026-48710 (BadHost) is a Host-header URL reconstruction flaw fixed in Starlette 1.0.1. New OSTIF, X41, Tenable, and BadHost scanner sources clarify that the highest-risk deployments are FastAPI/Starlette/LLM services whose middleware makes security decisions from request.url.path.