SCA: security update for starlette (GHSA-wqp7-x3pw-xc5r)

high Tenable Self-Hosted Container Security Plugin ID 443240

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows
is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an
outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for
offline cracking or relay even though the HTTP response is only a 404. The issue affects default
follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems
and follow_symlink=True are unaffected. The issue is fixed in 1.1.0. (CVE-2026-48818)

Solution

Update the starlette library and its related packages to version 1.1.0 or later.

See Also

https://github.com/advisories/GHSA-wqp7-x3pw-xc5r

Plugin Details

Severity: High

ID: 443240

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 6/16/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.72

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-48818

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/15/2026

Vulnerability Publication Date: 6/15/2026

Reference Information

CVE: CVE-2026-48818

cwe: CWE-918