CVE-2026-48710 Starlette Host-Header Auth Bypass

If you have anything on the internet built with Starlette < 1.0.1 (including FastAPI things), and it's not behind a good reverse proxy, your ASGI application uses an unsanitized user-controlled Host header to construct the url path that some middleware uses for auth, so you likely have some patching to do.

This is generally a good find, but the fact that the point about the reverse proxy isn't included "above the fold" feels a little misleading. I can't say I've ever seen one of these put online without one.