Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%
Buy Us a Coffee

CVE-2026-53537— Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters

CVSS 3.7 · Low EPSS 0.18% · P7
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53537

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
Source: NVD (National Vulnerability Database)
Vulnerability Description
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Kludexpython-multipart < 0.0.30 -

II. Public POCs for CVE-2026-53537

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53537

登录查看更多情报信息。

Other References for CVE-2026-53537 (1)

Same Patch Batch · Kludex · 2026-06-22 · 6 CVEs total

CVE-2026-535397.5 HIGHPython-Multipart: Quadratic-time querystring parsing with semicolon separators causes CPU
CVE-2026-542837.5 HIGHStarlette: request.form() limits silently ignored for application/x-www-form-urlencoded en
CVE-2026-535403.7 LOWPython-Multipart: Negative Content-Length in parse_form buffers the entire body in memory
CVE-2026-535383.7 LOWPython-Multipart: Semicolon treated as querystring field separator enables parameter smugg
CVE-2026-542823.7 LOWStarlette: Unvalidated request path concatenated into authority poisons request.url.hostna

IV. Related Vulnerabilities

Same product: python-multipart
Same vendor: Kludex
Same weakness: CWE-20

V. Comments for CVE-2026-53537

No comments yet

Leave a comment