ByteOS Network

NVD Vulnerability Details :

CVE-2026-53538

Received

Source-security-advisories@github.com

Published At-22 Jun, 2026 | 18:16

Updated At-22 Jun, 2026 | 18:16

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse (since the CVE-2021-23336 fix) treat only & as a separator. This creates a parser differential: the same bytes are tokenized into different fields than a WHATWG compliant intermediary would produce, allowing an attacker to smuggle extra form fields past an upstream body inspecting component. This vulnerability is fixed in 0.0.30.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	3.7	LOW	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Type: Secondary

Version: 3.1

Base score: 3.7

Base severity: LOW

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Weaknesses

CWE ID	Type	Source
CWE-436	Primary	security-advisories@github.com
CWE-444	Primary	security-advisories@github.com

CWE ID: CWE-436

Type: Primary

Source: security-advisories@github.com

CWE ID: CWE-444

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/Kludex/python-multipart/security/advisories/GHSA-6jv3-5f52-599m	security-advisories@github.com	N/A

Hyperlink: https://github.com/Kludex/python-multipart/security/advisories/GHSA-6jv3-5f52-599m

Source: security-advisories@github.com

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History