CVE-2026-53538
LowCVSS 3.7Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
Python-Multipart before version 0.0.30 incorrectly treated the semicolon (;) as a field separator in application/x-www-form-urlencoded bodies, while the WHATWG standard and modern browsers only recognize the & character. This parsing differential allows an attacker to smuggle extra form fields past an upstream body inspecting component.
Risk Assessment
The organization may be exposed to attacks involving smuggling of form fields, which could lead to bypassing security mechanisms such as input validation or access control.
Recommendation
Immediately update the Python-Multipart library to version 0.0.30 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse (since the CVE-2021-23336 fix) treat only & as a separator. This creates a parser differential: the same bytes are tokenized into different fields than a WHATWG compliant intermediary would produce, allowing an attacker to smuggle extra form fields past an upstream body inspecting component. This vulnerability is fixed in 0.0.30.

