<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Cve-2026-48710 on HackingPassion.com : root@HackingPassion.com-[~]</title><link>https://hackingpassion.com/tags/cve-2026-48710/</link><description>Recent content in Cve-2026-48710 on HackingPassion.com : root@HackingPassion.com-[~]</description><generator>Hugo</generator><language>en</language><lastBuildDate>Wed, 27 May 2026 11:32:55 +0200</lastBuildDate><atom:link href="https://hackingpassion.com/tags/cve-2026-48710/index.xml" rel="self" type="application/rss+xml"/><item><title>BadHost Breaks Into FastAPI and vLLM With a Single Character</title><link>https://hackingpassion.com/badhost-starlette-cve-2026-48710/</link><pubDate>Wed, 27 May 2026 11:32:55 +0200</pubDate><guid>https://hackingpassion.com/badhost-starlette-cve-2026-48710/</guid><description>&lt;p>&lt;strong>BadHost&lt;/strong> is one character in an HTTP header that bypasses authentication on &lt;strong>FastAPI&lt;/strong>, &lt;strong>vLLM&lt;/strong>, &lt;strong>LiteLLM&lt;/strong>, and the &lt;strong>Python MCP SDK&lt;/strong>. They all run on &lt;strong>Starlette&lt;/strong>. Starlette has more than &lt;strong>400,000 dependent projects&lt;/strong> on GitHub. The bug is in Starlette.&lt;/p>
&lt;p>It is tracked as &lt;strong>CVE-2026-48710&lt;/strong>, disclosed on May 22. Starlette is the framework that sits underneath FastAPI and handles the basic plumbing of web requests: routing, middleware, everything that happens before your code runs. Through FastAPI it reaches vLLM, LiteLLM, Text Generation Inference, most OpenAI-compatible proxy servers, MCP servers, agent frameworks, and model management dashboards.&lt;/p></description></item></channel></rss>