CVE-2026-48818

Name: CVE-2026-48818
Creator: NVD / NIST
Published: 2026-06-17T19:18:09.807+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 0.28%

Last modified Jun 26, 2026

CVE-2026-48818 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. EPSS estimates a 0.28% chance of exploitation in the next 30 days.

Description

Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.28%

19.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-918

Affected Software

Vendor	Product	Versions
Encode	Starlette	< 1.1.0

References

https://github.com/Kludex/starlette/commit/fd53168a7767b6b55ba5af787fd88f49e33cabc5Patch
https://github.com/Kludex/starlette/pull/3287Patch
https://github.com/Kludex/starlette/releases/tag/1.1.0Release Notes
https://github.com/Kludex/starlette/security/advisories/GHSA-wqp7-x3pw-xc5rMitigation, Vendor Advisory

Timeline

Published: Jun 17, 2026
Last Modified: Jun 26, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-48818?

How severe is CVE-2026-48818?

CVE-2026-48818 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.28% probability of exploitation in the next 30 days.

How do I fix CVE-2026-48818?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-48818?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST