Fluid Attacks Database

Description

Django has potential DoS via MultiPartParser through crafted multipart uploads An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. MultiPartParser allows remote attackers to degrade performance by submitting multipart uploads with Content-Transfer-Encoding: base64 including excessive whitespace.

Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	python-django	=2:2.2.24-1 \|\| =2:2.2.25-1~deb11u1 \|\| =2:2.2.26-1~deb11u1 \|\| =2:2.2.28-1~deb11u1 \|\| =2:2.2.28-1~deb11u10 \|\| =2:2.2.28-1~deb11u11 \|\| =2:2.2.28-1~deb11u12 \|\| =2:2.2.28-1~deb11u2 \|\| =2:2.2.28-1~deb11u3 \|\| =2:2.2.28-1~deb11u4 \|\| =2:2.2.28-1~deb11u5 \|\| =2:2.2.28-1~deb11u6 \|\| =2:2.2.28-1~deb11u7 \|\| =2:2.2.28-1~deb11u8 \|\| =2:2.2.28-1~deb11u9 \|\| =2:3.0-1 \|\| =2:3.0.1-1 \|\| =2:3.0.2-1 \|\| =2:3.0.4-1 \|\| =2:3.0.5-1 \|\| =2:3.0.6-1 \|\| =2:3.0.7-1 \|\| =2:3.0.7-2 \|\| =2:3.0~alpha1-1 \|\| =2:3.0~beta1-1 \|\| =2:3.0~rc1-1 \|\| =2:3.1-1 \|\| =2:3.1-2 \|\| =2:3.1.1-1 \|\| =2:3.1.2-1 \|\| =2:3.1.3-1 \|\| =2:3.1.4-1 \|\| =2:3.1.5-1 \|\| =2:3.1~beta1-1 \|\| =2:3.1~rc1-1 \|\| =2:3.2-1 \|\| =2:3.2.1-1 \|\| =2:3.2.10-1 \|\| =2:3.2.10-2 \|\| =2:3.2.10-2~bpo11+1 \|\| =2:3.2.10-2~bpo11+2 \|\| =2:3.2.11-1 \|\| =2:3.2.11-2 \|\| =2:3.2.12-1 \|\| =2:3.2.12-1~bpo11+1 \|\| =2:3.2.12-2 \|\| =2:3.2.13-1 \|\| =2:3.2.2-1 \|\| =2:3.2.3-1 \|\| =2:3.2.4-1 \|\| =2:3.2.5-1 \|\| =2:3.2.5-2 \|\| =2:3.2.6-1 \|\| =2:3.2.7-1 \|\| =2:3.2.7-2 \|\| =2:3.2.7-3 \|\| =2:3.2.7-4 \|\| =2:3.2.8-1 \|\| =2:3.2.9-1 \|\| =2:3.2.9-2 \|\| =2:3.2.9-2~bpo11+1 \|\| =2:3.2~alpha1-1 \|\| =2:3.2~alpha1-2 \|\| =2:3.2~beta1-1 \|\| =2:3.2~rc1-1 \|\| =2:4.0-1 \|\| =2:4.0.1-1 \|\| =2:4.0.1-2 \|\| =2:4.0.2-1 \|\| =2:4.0.3-1 \|\| =2:4.0.4-1 \|\| =2:4.0.5-1 \|\| =2:4.0.5-2 \|\| =2:4.0.6-1 \|\| =2:4.0~alpha1-1 \|\| =2:4.0~beta1-1 \|\| =2:4.0~rc1-1 \|\| =2:4.1~alpha1-1 \|\| =2:4.1~beta1-1 \|\| =2:4.1~rc1-1 \|\| =3:3.2.14-1 \|\| =3:3.2.15-1 \|\| =3:3.2.16-1 \|\| =3:3.2.16-2 \|\| =3:3.2.17-1 \|\| =3:3.2.18-1 \|\| =3:3.2.19-1 \|\| =3:3.2.20-1 \|\| =3:3.2.20-1.1 \|\| =3:3.2.21-1 \|\| =3:4.1-1 \|\| =3:4.1.1-1 \|\| =3:4.1.2-1 \|\| =3:4.1.3-1 \|\| =3:4.1.4-1 \|\| =3:4.1.5-1 \|\| =3:4.2-1 \|\| =3:4.2.1-1 \|\| =3:4.2.10-1 \|\| =3:4.2.11-1 \|\| =3:4.2.13-1 \|\| =3:4.2.14-1 \|\| =3:4.2.15-1 \|\| =3:4.2.15-1~bpo12+1 \|\| =3:4.2.16-1 \|\| =3:4.2.17-1 \|\| =3:4.2.17-2 \|\| =3:4.2.18-1 \|\| =3:4.2.18-1~bpo12+1 \|\| =3:4.2.19-1 \|\| =3:4.2.19-1~bpo12+1 \|\| =3:4.2.2-1 \|\| =3:4.2.20-1 \|\| =3:4.2.20-1~bpo12+1 \|\| =3:4.2.21-1 \|\| =3:4.2.21-1~bpo12+1 \|\| =3:4.2.22-1 \|\| =3:4.2.23-1 \|\| =3:4.2.24-1 \|\| =3:4.2.25-1 \|\| =3:4.2.25-2 \|\| =3:4.2.26-1 \|\| =3:4.2.27-1 \|\| =3:4.2.27-2 \|\| =3:4.2.28-1 \|\| =3:4.2.29-1 \|\| =3:4.2.3-1 \|\| =3:4.2.30-1 \|\| =3:4.2.4-1 \|\| =3:4.2.5-1 \|\| =3:4.2.5-2 \|\| =3:4.2.6-1 \|\| =3:4.2.8-1 \|\| =3:4.2.9-1 \|\| =3:4.2~alpha1-1 \|\| =3:4.2~beta1-1 \|\| =3:4.2~rc1-1 \|\| =3:5.0-1 \|\| =3:5.0.1-1 \|\| =3:5.0.2-1 \|\| =3:5.0.3-1 \|\| =3:5.0.4-1 \|\| =3:5.0.6-1 \|\| =3:5.0~alpha1-1 \|\| =3:5.0~rc1-1 \|\| =3:5.1-1 \|\| =3:5.1.1-1 \|\| =3:5.1.2-1 \|\| =3:5.1.3-1 \|\| =3:5.1.4-1 \|\| =3:5.1.5-1 \|\| =3:5.1~alpha1-1 \|\| =3:5.1~beta1-1 \|\| =3:5.1~rc1-1 \|\| =3:5.2-1 \|\| =3:5.2.1-1 \|\| =3:5.2.2-1 \|\| =3:5.2.3-1 \|\| =3:5.2.4-1 \|\| =3:5.2.5-1 \|\| =3:5.2.6-1 \|\| =3:5.2~alpha1-1 \|\| =3:5.2~beta1-1 \|\| =3:5.2~rc1-1 \|\| =3:6.0-1 \|\| =3:6.0.1-1 \|\| =3:6.0.2-1 \|\| =3:6.0.3-1 \|\| =3:6.0.4-1 \|\| =3:6.0~alpha1-1 \|\| =3:6.0~beta1-1 \|\| =3:6.0~rc1-1	-
debian 12	python-django	=3:3.2.19-1 \|\| =3:3.2.19-1+deb12u1 \|\| =3:3.2.19-1+deb12u1~bpo11+1 \|\| =3:3.2.19-1+deb12u2 \|\| =3:3.2.20-1 \|\| =3:3.2.20-1.1 \|\| =3:3.2.21-1 \|\| =3:3.2.25-0+deb12u1 \|\| =3:3.2.25-0+deb12u2 \|\| =3:4.1-1 \|\| =3:4.1.1-1 \|\| =3:4.1.2-1 \|\| =3:4.1.3-1 \|\| =3:4.1.4-1 \|\| =3:4.1.5-1 \|\| =3:4.2-1 \|\| =3:4.2.1-1 \|\| =3:4.2.10-1 \|\| =3:4.2.11-1 \|\| =3:4.2.13-1 \|\| =3:4.2.14-1 \|\| =3:4.2.15-1 \|\| =3:4.2.15-1~bpo12+1 \|\| =3:4.2.16-1 \|\| =3:4.2.17-1 \|\| =3:4.2.17-2 \|\| =3:4.2.18-1 \|\| =3:4.2.18-1~bpo12+1 \|\| =3:4.2.19-1 \|\| =3:4.2.19-1~bpo12+1 \|\| =3:4.2.2-1 \|\| =3:4.2.20-1 \|\| =3:4.2.20-1~bpo12+1 \|\| =3:4.2.21-1 \|\| =3:4.2.21-1~bpo12+1 \|\| =3:4.2.22-1 \|\| =3:4.2.23-1 \|\| =3:4.2.24-1 \|\| =3:4.2.25-1 \|\| =3:4.2.25-2 \|\| =3:4.2.26-1 \|\| =3:4.2.27-1 \|\| =3:4.2.27-2 \|\| =3:4.2.28-1 \|\| =3:4.2.29-1 \|\| =3:4.2.3-1 \|\| =3:4.2.30-1 \|\| =3:4.2.4-1 \|\| =3:4.2.5-1 \|\| =3:4.2.5-2 \|\| =3:4.2.6-1 \|\| =3:4.2.8-1 \|\| =3:4.2.9-1 \|\| =3:4.2~alpha1-1 \|\| =3:4.2~beta1-1 \|\| =3:4.2~rc1-1 \|\| =3:5.0-1 \|\| =3:5.0.1-1 \|\| =3:5.0.2-1 \|\| =3:5.0.3-1 \|\| =3:5.0.4-1 \|\| =3:5.0.6-1 \|\| =3:5.0~alpha1-1 \|\| =3:5.0~rc1-1 \|\| =3:5.1-1 \|\| =3:5.1.1-1 \|\| =3:5.1.2-1 \|\| =3:5.1.3-1 \|\| =3:5.1.4-1 \|\| =3:5.1.5-1 \|\| =3:5.1~alpha1-1 \|\| =3:5.1~beta1-1 \|\| =3:5.1~rc1-1 \|\| =3:5.2-1 \|\| =3:5.2.1-1 \|\| =3:5.2.2-1 \|\| =3:5.2.3-1 \|\| =3:5.2.4-1 \|\| =3:5.2.5-1 \|\| =3:5.2.6-1 \|\| =3:5.2~alpha1-1 \|\| =3:5.2~beta1-1 \|\| =3:5.2~rc1-1 \|\| =3:6.0-1 \|\| =3:6.0.1-1 \|\| =3:6.0.2-1 \|\| =3:6.0.3-1 \|\| =3:6.0.4-1 \|\| =3:6.0~alpha1-1 \|\| =3:6.0~beta1-1 \|\| =3:6.0~rc1-1	-
pypi	django	>=6.0 <6.0.4 \|\| >=5.2 <5.2.13 \|\| >=4.2 <4.2.30	6.0.4, 5.2.13, 4.2.30
debian 14	python-django	=3:4.2.23-1 \|\| =3:4.2.24-1 \|\| =3:4.2.25-1 \|\| =3:4.2.25-2 \|\| =3:4.2.26-1 \|\| =3:4.2.27-1 \|\| =3:4.2.27-2 \|\| =3:4.2.28-1 \|\| =3:4.2.29-1 \|\| >=0 <3:4.2.30-1	3:4.2.30-1
debian 13	python-django	=3:4.2.23-1 \|\| =3:4.2.24-1 \|\| =3:4.2.25-1 \|\| =3:4.2.25-2 \|\| =3:4.2.26-1 \|\| =3:4.2.27-0+deb13u1 \|\| =3:4.2.27-1 \|\| =3:4.2.27-2 \|\| =3:4.2.28-0+deb13u1 \|\| =3:4.2.28-1 \|\| =3:4.2.29-1 \|\| =3:4.2.30-1 \|\| =3:5.0-1 \|\| =3:5.0.1-1 \|\| =3:5.0.2-1 \|\| =3:5.0.3-1 \|\| =3:5.0.4-1 \|\| =3:5.0.6-1 \|\| =3:5.0~alpha1-1 \|\| =3:5.0~rc1-1 \|\| =3:5.1-1 \|\| =3:5.1.1-1 \|\| =3:5.1.2-1 \|\| =3:5.1.3-1 \|\| =3:5.1.4-1 \|\| =3:5.1.5-1 \|\| =3:5.1~alpha1-1 \|\| =3:5.1~beta1-1 \|\| =3:5.1~rc1-1 \|\| =3:5.2-1 \|\| =3:5.2.1-1 \|\| =3:5.2.2-1 \|\| =3:5.2.3-1 \|\| =3:5.2.4-1 \|\| =3:5.2.5-1 \|\| =3:5.2.6-1 \|\| =3:5.2~alpha1-1 \|\| =3:5.2~beta1-1 \|\| =3:5.2~rc1-1 \|\| =3:6.0-1 \|\| =3:6.0.1-1 \|\| =3:6.0.2-1 \|\| =3:6.0.3-1 \|\| =3:6.0.4-1 \|\| =3:6.0~alpha1-1 \|\| =3:6.0~beta1-1 \|\| =3:6.0~rc1-1	-

Aliases

1. CVE-2026-330332. NVD-2026-330333. OSV-DEBIAN-2026-330334. OSV-2026-330335. GCVE-2026-330336. SECURITY-TRACKER-CVE-2026-33033

References

1. https://github.com/ch4n3-yoon/CVE-2026-33033-PoC2. https://docs.djangoproject.com/en/dev/releases/security3. https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2026-48.yaml4. https://groups.google.com/g/django-announce5. https://www.djangoproject.com/weblog/2026/apr/07/security-releases