cbcvebase.

Kludex Python-Multipart vulnerabilities

10 known vulnerabilities affecting kludex/python-multipart.

Total CVEs
10
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH5MEDIUM4LOW1

Vulnerabilities

Page 1 of 1
CVE-2026-24486P2HIGHCVSS 7.5PoCfixed in 0.0.222026-01-27
CVE-2026-24486 [HIGH] CWE-22 CVE-2026-24486: Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Travers Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to ver
ghsanvdosv
CVE-2021-23336P3MEDIUMCVSS 5.9fixed in 0.0.302021-02-15
CVE-2021-23336 [MEDIUM] CWE-444 CVE-2021-23336: The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and be The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they
nvd
CVE-2026-42561P3HIGHCVSS 7.5fixed in 0.0.272026-05-13
CVE-2026-42561 [HIGH] CWE-770 CVE-2026-42561: Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with ei
ghsanvd
CVE-2024-24762P3HIGHCVSS 7.5fixed in 0.0.72024-02-05
CVE-2024-24762 [HIGH] CWE-400 CVE-2024-24762: `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipa `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minu
ghsanvdosv
CVE-2026-53539P3HIGHCVSS 7.5fixed in 0.0.302026-06-22
CVE-2026-53539 [HIGH] CWE-400 CVE-2026-53539: Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing applicati Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead did it fall back to scanning for ;. For a body that uses
ghsanvd
CVE-2024-53981P3HIGHCVSS 7.5fixed in 0.0.182024-12-02
CVE-2024-53981 [HIGH] CWE-770 CVE-2024-53981: python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipar python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could a
ghsanvdosv
CVE-2026-40347P4MEDIUMCVSS 5.3fixed in 0.0.262026-04-18
CVE-2026-40347 [MEDIUM] CWE-400 CVE-2026-40347: Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediate
ghsanvd
CVE-2026-53537P4MEDIUMCVSS 5.3fixed in 0.0.302026-06-22
CVE-2026-53537 [MEDIUM] CWE-20 CVE-2026-53537: Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header p Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form
ghsanvd
CVE-2026-53538P4MEDIUMCVSS 5.9≥ 0, < 0.0.302026-06-15
CVE-2026-53538 [MEDIUM] CWE-436 python-multipart: Semicolon treated as querystring field separator enables parameter smuggling python-multipart: Semicolon treated as querystring field separator enables parameter smuggling ### Summary `QuerystringParser` treated `;` as a field separator in `application/x-www-form-urlencoded` bodies, in addition to `&`. The [WHATWG URL standard](https://url.spec.whatwg.org/#urlencoded-parsing), modern browsers, and Python's `urllib.parse` (since the CVE-2021-233
ghsa
CVE-2026-53540P4LOWCVSS 3.7fixed in 0.0.312026-06-22
CVE-2026-53540 [LOW] CWE-1284 CVE-2026-53540: Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not v Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size
ghsanvd
Kludex Python-Multipart vulnerabilities | cvebase