cbcvebase.
CVE-2026-53537
published 2026-06-22

CVE-2026-53537: Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with…

PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.18%
7.4th percentile
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.

Affected

54 ranges· showing 25
VendorProductVersion rangeFixed in
ansible-automation-platform-25lightspeed-chatbot-rhel8
ansible-automation-platform-26lightspeed-chatbot-rhel9
ansible-automation-platform-26mcp-tools-rhel9
ansible-automation-platform-27lightspeed-chatbot-rhel9
ansible-automation-platform-27mcp-tools-rhel9
container-native-virtualizationocp-virt-validation-checkup-rhel9
exploit-intelligence-tech-previewvulnerability-analysis-rhel9
fastapiexpertpython-multipart< 0.0.300.0.30
kludexpython-multipart< 0.0.300.0.30
kludexpython-multipart>= 0 < 0.0.300.0.30
mtamta-solution-server-rhel9
openshift-lightspeedlightspeed-agentic-sandbox-rhel9
openshift-lightspeedlightspeed-ocp-rag-rhel9
openshift-lightspeedlightspeed-service-api-rhel9
rhaiivllm-cpu-rhel9
rhaiivllm-cuda-rhel9
rhaiivllm-gaudi-rhel9
rhaiivllm-neuron-rhel9
rhaiivllm-rocm-rhel9
rhaiivllm-spyre-rhel9
rhaiivllm-tpu-rhel9
rhaiisvllm-cpu-rhel9
rhaiisvllm-cuda-rhel9
rhaiisvllm-neuron-rhel9
rhaiisvllm-rocm-rhel9

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.