San Francisco — One bad character bypasses Starlette server authentication. CVE-2026-48710 misparses HTTP Host headers in FastAPI, vLLM and LiteLLM; any Model Context Protocol deployment is exposed. S
Ars Technica