python · litestarCritical

litestar: CSRF cookie XSS via unsafe template pattern

Litestar instances using templates with CSRF protection are vulnerable to HTML injection leading to XSS because the CSRF cookie content is not escaped when usin

11 Jun 2026Read 1 minSeverity: act now

What changed

Litestar instances using templates with CSRF protection are vulnerable to HTML injection leading to XSS because the CSRF cookie content is not escaped when using the recommended `{{ csrf_input | safe }}` pattern.

Who it affects

Applications using Litestar with a template engine (Jinja, Mako, MiniJinja), CSRF protection enabled, and CSRF inputs enabled as per documentation.

What to do today

Review template code for `{{ csrf_input | safe }}` usage and ensure proper escaping; consider applying a fix or workaround from the advisory.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · litestar

litestar: CSRF cookie XSS via unsafe template pattern

What changed

Who it affects

What to do today

More on litestar

vLLM: Revision pinning does not propagate to all artifact load paths

litestar AllowedHostsMiddleware trusts X-Forwarded-Host when Host header missing