CVE-2026-40347
published 2026-04-18CVE-2026-40347: Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.35%
26.9th percentile
Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.
Affected
42 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-25 | lightspeed-chatbot-rhel8 | — | — |
| ansible-automation-platform-26 | lightspeed-chatbot-rhel9 | — | — |
| ansible-automation-platform-26 | mcp-tools-rhel9 | — | — |
| fastapiexpert | python-multipart | < 0.0.26 | 0.0.26 |
| kludex | python-multipart | < 0.0.26 | 0.0.26 |
| kludex | python-multipart | >= 0 < 0.0.26 | 0.0.26 |
| lightspeed-core | lightspeed-stack-rhel9 | — | — |
| lightspeed-core | rag-tool-rhel9 | — | — |
| mta | mta-solution-server-rhel9 | — | — |
| openshift-lightspeed | lightspeed-ocp-rag-rhel9 | — | — |
| openshift-lightspeed | lightspeed-service-api-rhel9 | — | — |
| rhaiis | vllm-cpu-rhel9 | — | — |
| rhaiis | vllm-cuda-rhel9 | — | — |
| rhaiis | vllm-neuron-rhel9 | — | — |
| rhaiis | vllm-rocm-rhel9 | — | — |
| rhaiis | vllm-spyre-rhel9 | — | — |
| rhaiis | vllm-tpu-rhel9 | — | — |
| rhelai3 | bootc-aws-cuda-rhel9 | — | — |
| rhelai3 | bootc-azure-cuda-rhel9 | — | — |
| rhelai3 | bootc-azure-rocm-rhel9 | — | — |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gcp-cuda-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| rhoai | odh-caikit-nlp-rhel9 | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
python-multipart: Python-Multipart: Denial of Service via crafted multipart/form-data requests
vendor_redhat·2026-04-17·CVSS 5.3
CVE-2026-40347 [MEDIUM] CWE-1050 python-multipart: Python-Multipart: Denial of Service via crafted multipart/form-data requests
python-multipart: Python-Multipart: Denial of Service via crafted multipart/form-data requests
Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.
A flaw was found in Python-Multipart, a tool for processing web form data. A remote attacker could exploit this vulnerability by sending specially crafted web requests. These requests, containing unusually large sections of data before or after the main content, could cause the system to become u
VulDB
Kludex python-multipart up to 0.0.25 resource consumption (GHSA-mj87-hwqh-73pj / Nessus ID 307443)
vuldb·2026-04-18·CVSS 5.3
CVE-2026-40347 [MEDIUM] Kludex python-multipart up to 0.0.25 resource consumption (GHSA-mj87-hwqh-73pj / Nessus ID 307443)
A vulnerability categorized as problematic has been discovered in Kludex python-multipart up to 0.0.25. This issue affects some unknown processing. Such manipulation leads to resource consumption.
This vulnerability is uniquely identified as CVE-2026-40347. The attack can be launched remotely. No exploit exists.
It is advisable to upgrade the affected component.
GHSA
python-multipart affected by Denial of Service via large multipart preamble or epilogue data
ghsa·2026-04-15
CVE-2026-40347 [MEDIUM] CWE-400 python-multipart affected by Denial of Service via large multipart preamble or epilogue data
python-multipart affected by Denial of Service via large multipart preamble or epilogue data
### Summary
A denial of service vulnerability exists when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections.
### Details
Two inefficient multipart parsing paths could be abused with attacker-controlled input.
Before the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary.
### Impact
An attacker can send oversized malformed multip
No detection rules found.
No public exploits indexed.
2026-04-18
Published