Home > Vulnerability Database > CVE-2026-25480

Mend.io Vulnerability Database

CVE-2026-25480

Good to know:

Date: February 9, 2026

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.

Severity Score

6.5

Related Resources (7)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-25480

Url: https://github.com/litestar-org/litestar/security/advisories/GHSA-vxqx-rh46-q2pg

Url: https://github.com/litestar-org/litestar/commit/85db6183a76f8a6b3fd6ee3c88d860b9f37a2cca

Url: https://github.com/litestar-org/litestar/releases/tag/v2.20.0

Url: https://github.com/litestar-org/litestar

Url: https://docs.litestar.dev/2/release-notes/changelog.html#2.20.0

Url: https://www.mend.io/vulnerability-database/CVE-2026-25480

Severity Score

6.5

Weakness Type (CWE)

Improper Input Validation

CWE-20

Improper Handling of Unicode Encoding

CWE-176

Top Fix

Upgrade Version

Upgrade to version litestar - 2.20.0;https://github.com/litestar-org/litestar.git - v2.20.0;https://github.com/litestar-org/litestar.git - v2.20.0

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-25480

Good to know:

Date: February 9, 2026

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?