CVE-2026-33033 — Inefficient Algorithmic Complexity in Django

CWE-407 — Inefficient Algorithmic Complexity CWE-1286 — Improper Validation of Syntactic Correctness of Input13 documents9 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 67.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedApr 7

Latest updateApr 9

Description

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5djangoproject/django6.0 — 6.0.4+2

▶NVDdjangoproject/django4.2 — 4.2.30+2

▶PyPIdjangoproject/django6.0 — 6.0.4+2

Patches

Patch: docs.djangoproject.com ↗Patch: www.djangoproject.com ↗

🔴Vulnerability Details

OSV

CVE-2026-33033: Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload↗2026-04-07

▶

OSV

Django has potential DoS via MultiPartParser through crafted multipart uploads↗2026-04-07

▶

CVEList

Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload↗2026-04-07

▶

OSV

CVE-2026-33033: An issue was discovered in 6↗2026-04-07

▶

OSV

python-django vulnerabilities↗2026-04-07

▶

📋Vendor Advisories

Ubuntu

Django vulnerabilities↗2026-04-09

▶

Ubuntu

Django vulnerabilities↗2026-04-07

▶

Red Hat

Django: Django: Performance degradation via excessive whitespace in multipart uploads↗2026-04-07

▶

Debian

CVE-2026-33033: python-django - An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33033 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-33033 Django: Django: Performance degradation via excessive whitespace in multipart uploads↗2026-04-07

▶