Fluid Attacks Database

Description

Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted multipart/form-data requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	python-multipart	>=0 <0.0.26	0.0.26
debian 11	python-multipart	=0.0.17-1 \|\| =0.0.17-2 \|\| =0.0.17-3 \|\| =0.0.17-4 \|\| =0.0.17-5 \|\| =0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| =0.0.26-1 \|\| =0.0.5-2 \|\| =0.0.5-3 \|\| =0.0.6-1 \|\| =0.0.9-1	-
debian 12	python-multipart	=0.0.17-1 \|\| =0.0.17-2 \|\| =0.0.17-3 \|\| =0.0.17-4 \|\| =0.0.17-5 \|\| =0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| =0.0.26-1 \|\| =0.0.5-3 \|\| =0.0.6-1 \|\| =0.0.9-1	-
debian 13	python-multipart	=0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| =0.0.26-1	-
debian 14	python-multipart	=0.0.20-1 \|\| =0.0.20-1.1 \|\| =0.0.20-1.1~deb13u1 \|\| =0.0.22-1 \|\| >=0 <0.0.26-1	0.0.26-1

Aliases

1. CVE-2026-403472. NVD-2026-403473. OSV-2026-403474. OSV-DEBIAN-2026-403475. GHSA-mj87-hwqh-73pj6. GCVE-2026-403477. SECURITY-TRACKER-CVE-2026-40347

References

1. https://github.com/Kludex/python-multipart/security/advisories/GHSA-mj87-hwqh-73pj2. https://github.com/Kludex/python-multipart/releases/tag/0.0.26

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.