Two of this morning's items sit on top of each other. LiteLLM's command-execution bug, CVE-2026-42271, is now in CISA's Known Exploited Vulnerabilities catalog — added June 8, federal remediation due June 22 — and the host-header flaw in Starlette underneath it, CVE-2026-48710, drops the authentication that protected the affected endpoints. Authenticated command execution plus an auth bypass is an unauthenticated chain. If you run an LLM gateway, this is the one that jumps the queue. vLLM and LangChain fill out a Python-heavy morning; nothing on the .NET or Angular side cleared the bar today.

Worth your morning

LiteLLM + Starlette (CVE-2026-42271 + CVE-2026-48710). CVE-2026-42271 was disclosed in April as an authenticated command-execution flaw in LiteLLM's admin test endpoints. The reason it is now on a federal clock is the framework underneath it: Starlette derives request.url.path from the client-supplied Host header without validating it, so path-based auth middleware can be made to check one path while the server routes another. The auth that stood between the internet and those endpoints stops standing. CISA added CVE-2026-42271 to the KEV catalog on June 8 with a June-22 due date; the fix is LiteLLM 1.83.7, which both locks the endpoints behind the PROXY_ADMIN role and pulls in the patched Starlette. If you expose a LiteLLM proxy, patch it today and rotate any provider API keys it held — the chain ends in command execution on the gateway. Starlette 1.0.1 closes the host-header bug for everything built on it, which is a long list: FastAPI apps, vLLM, and a good fraction of the MCP servers in circulation.

vLLM (CVE-2026-41523). A security check in vLLM's activation-function loader rode on a Python assert, which is to say it was absent the moment anyone ran the server with python -O or PYTHONOPTIMIZE=1 — the optimized mode that strips assertions out. With the check gone, the loader would accept arbitrary functions named in a model's config. Fixed in 0.22.0; if you can't upgrade immediately, don't run vLLM in optimized mode.

LangChain (GHSA-gr75-jv2w-4656). A path-traversal and sandbox-escape issue in the file-search middleware and loaders: when untrusted input steers path resolution, the resolved path isn't reliably confined to its intended root, which can disclose files outside it. Moderate (5.1), no CVE assigned. Fixed in langchain 1.3.9 and langchain-anthropic 1.4.6.