EXECUTIVE SUMMARY:
CVE-2026-48060 with a CVSS score of 8.1 is a high‑severity HTML injection vulnerability affecting the Litestar Python web framework (pip package litestar) in all releases prior to 2.22.0. The flaw arises because Litestar’s built‑in CSRF middleware places the CSRF token value into a hidden form field without automatically escaping it when the framework’s templating engine (e.g., Jinja, Mako, MiniJinja) is used, allowing an attacker to inject arbitrary markup via the csrftoken cookie. Exploitation requires only that a victim visit a Litestar‑powered site that renders forms with CSRF protection enabled; the attacker can deliver a malicious csrftoken cookie through a sub‑domain, a prior XSS, or a crafted link that forces the browser to set the cookie, after which a page refresh will render the attacker‑controlled HTML. This results in the attacker gaining the ability to execute client‑side scripts in the victim’s browser, effectively achieving a cross‑site scripting vector that can steal session cookies, perform unauthorized actions, or deface content. The business impact includes potential data breach, loss of user trust, regulatory penalties, and downstream compromise of internal systems if the compromised session accesses privileged resources. Successful exploitation depends on the application using a template engine, having CSRF protection enabled, and rendering the CSRF token via the recommended inline configuration that omits automatic escaping.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48060 with a CVSS score of 8.1 is a high‑severity HTML injection vulnerability affecting the Litestar Python web framework (pip package litestar) in all releases prior to 2.22.0. The flaw arises because Litestar’s built‑in CSRF middleware places the CSRF token value into a hidden form field without automatically escaping it when the framework’s templating engine (e.g., Jinja, Mako, MiniJinja) is used, allowing an attacker to inject arbitrary markup via the csrftoken cookie. Exploitation requires only that a victim visit a Litestar‑powered site that renders forms with CSRF protection enabled; the attacker can deliver a malicious csrftoken cookie through a sub‑domain, a prior XSS, or a crafted link that forces the browser to set the cookie, after which a page refresh will render the attacker‑controlled HTML. This results in the attacker gaining the ability to execute client‑side scripts in the victim’s browser, effectively achieving a cross‑site scripting vector that can steal session cookies, perform unauthorized actions, or deface content. The business impact includes potential data breach, loss of user trust, regulatory penalties, and downstream compromise of internal systems if the compromised session accesses privileged resources. Successful exploitation depends on the application using a template engine, having CSRF protection enabled, and rendering the CSRF token via the recommended inline configuration that omits automatic escaping.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-542p-wvx7-72m4