CVE-2026-53537 | Python-Multipart is a streaming multipart parser for Python.… | CVSS 3.7 LOW

Description

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.

Metadata

CVE ID: CVE-2026-53537
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-09 18:13 UTC
Published: 2026-06-22 16:57 UTC
Last updated: 2026-06-22 16:57 UTC
Primary CWE: CWE-20
CWE-20: Improper Input Validation
Vendor / Product: Kludex / python-multipart
Sources: cve.org · NVD

Severity & Metrics

3.7 LOW CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected products (1)

Vendor	Product	Platform	Versions
Kludex	python-multipart	—	< 0.0.30

Weakness (CWE)

CWE	Source	Description
CWE-20	cna	CWE-20: Improper Input Validation
CWE-436	cna	CWE-436: Interpretation Conflict

CVSS scores (1)

Score	Severity	Version	Source	Vector
3.7	LOW	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References (1)

https://github.com/Kludex/python-multipart/security/advisories/GHSA-vffw-93wf-4j4q https://github.com/Kludex/python-multipart/security/advisories/GHSA-vffw-93wf-4j4q