Kludex Python-Multipart vulnerabilities

CVE-2026-40347 [MEDIUM] CWE-400 CVE-2026-40347: Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediate

CVE-2026-24486 [HIGH] CWE-22 CVE-2026-24486: Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Travers Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to ver

CVE-2024-53981 [HIGH] CWE-770 CVE-2024-53981: python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipar python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could a

CVE-2024-24762 [HIGH] CWE-400 CVE-2024-24762: `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipa `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minu