Skip to content

v3.3.2b

Latest

Choose a tag to compare

@cslev cslev released this 02 Jun 01:02

[v3.3.2b] - 2026-06-02

Security

  • CVE-2026-48710 (BadHost) assessment — confirmed Tradleware is not directly exploitable (no custom BaseHTTPMiddleware using request.url.path for access control; auth is route-level via session). Upgraded as a precaution.
  • Starlette 0.52.1 → 1.2.1 — pulls in Host header validation per RFC 9112/3986.
  • FastAPI 0.129.0 → 0.136.3 — updated alongside Starlette (tightly coupled dependency).
  • src/requirement.txt — pinned fastapi>=0.136.3; added explicit starlette>=1.0.1 minimum constraint.