Aggregates CVE and security vulnerability intelligence across all encode-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk cross-site scripting, vendor risk input validation, and vendor risk path handling; exposure may include vendor impact session compromise in vendor surface production workloads contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-48710 | Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) | [email protected] | 6.5 | 0.35% | 2026-05-26 | 2026-06-03 |
| CVE-2023-29159 | Directory traversal vulnerability in Starlette versions 0.13.5 and later and prior to 0.27.0 allows a remote unauthenticated attacker to view files in a web service which was built using Starlette. | [email protected] | 7.5 | 1.35% | 2023-06-01 | 2025-01-09 |
| CVE-2023-30798 | There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service. | [email protected] | 7.5 | 1.95% | 2023-04-21 | 2024-11-21 |
| CVE-2021-41945 | Encode OSS httpx < 0.23.0 is affected by improper input validation in `httpx.URL`, `httpx.Client` and some functions using `httpx.URL.copy_with`. | [email protected] | 9.1 | 0.72% | 2022-04-28 | 2024-11-21 |
| CVE-2020-25626 | A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability. | [email protected] | 6.1 | 0.71% | 2020-09-30 | 2024-11-21 |
| CVE-2020-7695 | Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or even return an arbitrary response body, whenever crafted input is used to construct HTTP headers. | [email protected] | 5.3 | 0.30% | 2020-07-27 | 2024-11-21 |
| CVE-2020-7694 | This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is to log its details to either the console or a log file. When attackers request crafted URLs with percent-encoded escape sequences, the logging component will log the URL after it's been processed with urllib.parse.unquote, therefore converting any percent-encoded characters into their s | [email protected] | 3.7 | 0.23% | 2020-07-27 | 2024-11-21 |