CVE Catalog

CVE-2026-53538

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile — higher than 7% of all known CVEs

Summary

Python-Multipart before version 0.0.30 incorrectly treated the semicolon (;) as a field separator in application/x-www-form-urlencoded bodies, while the WHATWG standard and modern browsers only recognize the & character. This parsing differential allows an attacker to smuggle extra form fields past an upstream body inspecting component.

Risk Assessment

The organization may be exposed to attacks involving smuggling of form fields, which could lead to bypassing security mechanisms such as input validation or access control.

Recommendation

Immediately update the Python-Multipart library to version 0.0.30 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse (since the CVE-2021-23336 fix) treat only & as a separator. This creates a parser differential: the same bytes are tokenized into different fields than a WHATWG compliant intermediary would produce, allowing an attacker to smuggle extra form fields past an upstream body inspecting component. This vulnerability is fixed in 0.0.30.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS