This is a heavily interactive web application, and JavaScript is required. Simple HTML interfaces are possible, but that is not what this is.
Post
dragosr
dragostech.bsky.social
did:plc:ba4dnche53jjxc6gjl64f6u4
🚨CVE-2026-48710("BadHost"): one character in a Host header bypasses path-based authorization across most of the Python AI stack.
Lives in Starlette, reaches FastAPI and through it: vLLM (where it was discovered), LiteLLM, TGI, MCP servers, agent harnesses, eval dashboards.
cc
@marver.bsky.social
https://secwest.net/starlette
2026-05-26T07:55:46.274Z