CVE-2026-53537
published 2026-06-22CVE-2026-53537: Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.18%
7.4th percentile
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.
Affected
54 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-25 | lightspeed-chatbot-rhel8 | — | — |
| ansible-automation-platform-26 | lightspeed-chatbot-rhel9 | — | — |
| ansible-automation-platform-26 | mcp-tools-rhel9 | — | — |
| ansible-automation-platform-27 | lightspeed-chatbot-rhel9 | — | — |
| ansible-automation-platform-27 | mcp-tools-rhel9 | — | — |
| container-native-virtualization | ocp-virt-validation-checkup-rhel9 | — | — |
| exploit-intelligence-tech-preview | vulnerability-analysis-rhel9 | — | — |
| fastapiexpert | python-multipart | < 0.0.30 | 0.0.30 |
| kludex | python-multipart | < 0.0.30 | 0.0.30 |
| kludex | python-multipart | >= 0 < 0.0.30 | 0.0.30 |
| mta | mta-solution-server-rhel9 | — | — |
| openshift-lightspeed | lightspeed-agentic-sandbox-rhel9 | — | — |
| openshift-lightspeed | lightspeed-ocp-rag-rhel9 | — | — |
| openshift-lightspeed | lightspeed-service-api-rhel9 | — | — |
| rhaii | vllm-cpu-rhel9 | — | — |
| rhaii | vllm-cuda-rhel9 | — | — |
| rhaii | vllm-gaudi-rhel9 | — | — |
| rhaii | vllm-neuron-rhel9 | — | — |
| rhaii | vllm-rocm-rhel9 | — | — |
| rhaii | vllm-spyre-rhel9 | — | — |
| rhaii | vllm-tpu-rhel9 | — | — |
| rhaiis | vllm-cpu-rhel9 | — | — |
| rhaiis | vllm-cuda-rhel9 | — | — |
| rhaiis | vllm-neuron-rhel9 | — | — |
| rhaiis | vllm-rocm-rhel9 | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Kludex python-multipart up to 0.0.29 on Python input validation (GHSA-vffw-93wf-4j4q)
vuldb·2026-06-22·CVSS 3.7
CVE-2026-53537 [LOW] Kludex python-multipart up to 0.0.29 on Python input validation (GHSA-vffw-93wf-4j4q)
A vulnerability labeled as problematic has been found in Kludex python-multipart up to 0.0.29 on Python. Affected by this vulnerability is an unknown functionality. Such manipulation leads to improper input validation.
This vulnerability is documented as CVE-2026-53537. The attack can be executed remotely. There is not any exploit available.
The affected component should be upgraded.
GHSA
python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
ghsa·2026-06-15
CVE-2026-53537 [LOW] CWE-20 python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
### Summary
`parse_options_header` parsed `Content-Disposition` (and `Content-Type`) headers with [`email.message.Message`](https://docs.python.org/3/library/email.compat32-message.html#email.message.Message), which transparently applies [RFC 2231](https://datatracker.ietf.org/doc/html/rfc2231)/[5987](https://datatracker.ietf.org/doc/html/rfc5987) decoding. The extended parameter syntax (`filename*=charset'lang'value`, `name*=...`, and the `filename*0`/`filename*1` continuation form) is decoded and surfaced under the bare `filename`/`name` key, and overrides the plain parameter when both are present. [RFC 7578 §4.2](https://datatracker.ietf.org/doc/html/rfc7578#section-4.2) explicitly forbids
Red Hat
multipart: Python-Multipart: Information disclosure via header parsing discrepancy
vendor_redhat·2026-06-22·CVSS 5.3
CVE-2026-53537 [MEDIUM] CWE-1286 multipart: Python-Multipart: Information disclosure via header parsing discrepancy
multipart: Python-Multipart: Information disclosure via header parsing discrepancy
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-53537 python-multipart: Python-Multipart: Information disclosure via header parsing discrepancy [epel-all]
bugzilla·2026-06-29·CVSS 5.3
CVE-2026-53537 [MEDIUM] CVE-2026-53537 python-multipart: Python-Multipart: Information disclosure via header parsing discrepancy [epel-all]
CVE-2026-53537 python-multipart: Python-Multipart: Information disclosure via header parsing discrepancy [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both ar
Bugzilla
CVE-2026-53537 python-multipart: Python-Multipart: Information disclosure via header parsing discrepancy [fedora-all]
bugzilla·2026-06-29·CVSS 5.3
CVE-2026-53537 [MEDIUM] CVE-2026-53537 python-multipart: Python-Multipart: Information disclosure via header parsing discrepancy [fedora-all]
CVE-2026-53537 python-multipart: Python-Multipart: Information disclosure via header parsing discrepancy [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both
Bugzilla
CVE-2026-53537 multipart: Python-Multipart: Information disclosure via header parsing discrepancy
bugzilla·2026-06-22·CVSS 5.3
CVE-2026-53537 [MEDIUM] CVE-2026-53537 multipart: Python-Multipart: Information disclosure via header parsing discrepancy
CVE-2026-53537 multipart: Python-Multipart: Information disclosure via header parsing discrepancy
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a hea
2026-06-22
Published