Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-53540 (GCVE-0-2026-53540)
Vulnerability from cvelistv5 – Published: 2026-06-22 16:58 – Updated: 2026-06-22 17:21- CWE-1284 - Improper Validation of Specified Quantity in Input
| URL | Tags |
|---|---|
| https://github.com/Kludex/python-multipart/securi… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| Kludex | python-multipart |
Affected:
< 0.0.31
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-53540",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T17:21:49.069742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T17:21:55.932Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "python-multipart",
"vendor": "Kludex",
"versions": [
{
"status": "affected",
"version": "\u003c 0.0.31"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284: Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:58:54.923Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-v9pg-7xvm-68hf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-v9pg-7xvm-68hf"
}
],
"source": {
"advisory": "GHSA-v9pg-7xvm-68hf",
"discovery": "UNKNOWN"
},
"title": "Python-Multipart: Negative Content-Length in parse_form buffers the entire body in memory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-53540",
"datePublished": "2026-06-22T16:58:54.923Z",
"dateReserved": "2026-06-09T18:13:07.263Z",
"dateUpdated": "2026-06-22T17:21:55.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-53540",
"date": "2026-07-04",
"epss": "0.00217",
"percentile": "0.1214"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-53540\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-22T18:16:44.497\",\"lastModified\":\"2026-06-26T19:50:18.340\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"Kludex\",\"product\":\"python-multipart\",\"versions\":[{\"version\":\"\u003c 0.0.31\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-22T17:21:49.069742Z\",\"id\":\"CVE-2026-53540\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1284\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fastapiexpert:python-multipart:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"0.0.31\",\"matchCriteriaId\":\"B35A0C05-3D3C-4063-8A25-62EEE68E480B\"}]}]}],\"references\":[{\"url\":\"https://github.com/Kludex/python-multipart/security/advisories/GHSA-v9pg-7xvm-68hf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-53540\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-22T17:21:49.069742Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-22T17:21:51.710Z\"}}], \"cna\": {\"title\": \"Python-Multipart: Negative Content-Length in parse_form buffers the entire body in memory\", \"source\": {\"advisory\": \"GHSA-v9pg-7xvm-68hf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Kludex\", \"product\": \"python-multipart\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.0.31\"}]}], \"references\": [{\"url\": \"https://github.com/Kludex/python-multipart/security/advisories/GHSA-v9pg-7xvm-68hf\", \"name\": \"https://github.com/Kludex/python-multipart/security/advisories/GHSA-v9pg-7xvm-68hf\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1284\", \"description\": \"CWE-1284: Improper Validation of Specified Quantity in Input\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-22T16:58:54.923Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-53540\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-22T17:21:55.932Z\", \"dateReserved\": \"2026-06-09T18:13:07.263Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-22T16:58:54.923Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-53540
Vulnerability from fkie_nvd - Published: 2026-06-22 18:16 - Updated: 2026-06-26 19:50| Vendor | Product | Version | |
|---|---|---|---|
| fastapiexpert | python-multipart | * |
{
"affected": [
{
"affectedData": [
{
"product": "python-multipart",
"vendor": "Kludex",
"versions": [
{
"status": "affected",
"version": "\u003c 0.0.31"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fastapiexpert:python-multipart:*:*:*:*:*:python:*:*",
"matchCriteriaId": "B35A0C05-3D3C-4063-8A25-62EEE68E480B",
"versionEndExcluding": "0.0.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31."
}
],
"id": "CVE-2026-53540",
"lastModified": "2026-06-26T19:50:18.340",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-53540",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T17:21:49.069742Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-06-22T18:16:44.497",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-v9pg-7xvm-68hf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1284"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-V9PG-7XVM-68HF
Vulnerability from github – Published: 2026-06-15 20:23 – Updated: 2026-06-15 20:23Summary
parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks.
Details
parse_form() reads the input stream in chunks, never reading more than the remaining Content-Length at a time. The per-chunk size is computed as min(content_length - bytes_read, chunk_size). The header value was parsed to an integer without checking its sign, so a Content-Length of -1 made this expression negative, and input_stream.read(-1) reads until end of stream. The intended bounded, chunked read therefore collapsed into a single unbounded read of the whole stream. The amount read is still bounded by what the client actually sends.
Impact
This only affects code that calls parse_form() directly with a Content-Length header taken from attacker-controlled input and without normalizing a negative value first. No known package is affected:
- Starlette and FastAPI drive
MultipartParserdirectly from the ASGIreceive()stream and do not callparse_form(). - Known
parse_form()consumers either do not forwardContent-Lengthto it, recompute it from the already-read body, or run behind a layer (such as Werkzeug) that normalizes a negativeContent-Lengthto0.
The realistic exposure is limited to bespoke WSGI or http.server handlers that forward raw client headers into parse_form(). In that case a crafted request buffers the body in memory at once, degrading availability under concurrent requests rather than causing a complete denial of service.
Mitigation
Upgrade to version 0.0.31 or later, which rejects a negative Content-Length with a ValueError before reading the stream.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "python-multipart"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53540"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T20:23:45Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\n\n`parse_form()` did not validate the `Content-Length` header before using it to bound its chunked read of the request body. A negative `Content-Length` turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks.\n\n### Details\n\n`parse_form()` reads the input stream in chunks, never reading more than the remaining `Content-Length` at a time. The per-chunk size is computed as `min(content_length - bytes_read, chunk_size)`. The header value was parsed to an integer without checking its sign, so a `Content-Length` of `-1` made this expression negative, and `input_stream.read(-1)` reads until end of stream. The intended bounded, chunked read therefore collapsed into a single unbounded read of the whole stream. The amount read is still bounded by what the client actually sends.\n\n### Impact\n\nThis only affects code that calls `parse_form()` directly with a `Content-Length` header taken from attacker-controlled input and without normalizing a negative value first. No known package is affected:\n\n* Starlette and FastAPI drive `MultipartParser` directly from the ASGI `receive()` stream and do not call `parse_form()`.\n* Known `parse_form()` consumers either do not forward `Content-Length` to it, recompute it from the already-read body, or run behind a layer (such as Werkzeug) that normalizes a negative `Content-Length` to `0`.\n\nThe realistic exposure is limited to bespoke WSGI or `http.server` handlers that forward raw client headers into `parse_form()`. In that case a crafted request buffers the body in memory at once, degrading availability under concurrent requests rather than causing a complete denial of service.\n\n### Mitigation\n\nUpgrade to version `0.0.31` or later, which rejects a negative `Content-Length` with a `ValueError` before reading the stream.",
"id": "GHSA-v9pg-7xvm-68hf",
"modified": "2026-06-15T20:23:45Z",
"published": "2026-06-15T20:23:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-v9pg-7xvm-68hf"
},
{
"type": "PACKAGE",
"url": "https://github.com/Kludex/python-multipart"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "python-multipart: Negative Content-Length in parse_form buffers the entire body in memory"
}
OPENSUSE-SU-2026:11099-1
Vulnerability from csaf_opensuse - Published: 2026-06-22 00:00 - Updated: 2026-06-22 00:00| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.x86_64 | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.x86_64 | — |
Vendor Fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python311-python-multipart-0.0.32-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python311-python-multipart-0.0.32-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-11099",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_11099-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-53537 page",
"url": "https://www.suse.com/security/cve/CVE-2026-53537/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-53538 page",
"url": "https://www.suse.com/security/cve/CVE-2026-53538/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-53540 page",
"url": "https://www.suse.com/security/cve/CVE-2026-53540/"
}
],
"title": "python311-python-multipart-0.0.32-1.1 on GA media",
"tracking": {
"current_release_date": "2026-06-22T00:00:00Z",
"generator": {
"date": "2026-06-22T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:11099-1",
"initial_release_date": "2026-06-22T00:00:00Z",
"revision_history": [
{
"date": "2026-06-22T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-python-multipart-0.0.32-1.1.aarch64",
"product": {
"name": "python311-python-multipart-0.0.32-1.1.aarch64",
"product_id": "python311-python-multipart-0.0.32-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-python-multipart-0.0.32-1.1.aarch64",
"product": {
"name": "python313-python-multipart-0.0.32-1.1.aarch64",
"product_id": "python313-python-multipart-0.0.32-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python314-python-multipart-0.0.32-1.1.aarch64",
"product": {
"name": "python314-python-multipart-0.0.32-1.1.aarch64",
"product_id": "python314-python-multipart-0.0.32-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-python-multipart-0.0.32-1.1.ppc64le",
"product": {
"name": "python311-python-multipart-0.0.32-1.1.ppc64le",
"product_id": "python311-python-multipart-0.0.32-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-python-multipart-0.0.32-1.1.ppc64le",
"product": {
"name": "python313-python-multipart-0.0.32-1.1.ppc64le",
"product_id": "python313-python-multipart-0.0.32-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python314-python-multipart-0.0.32-1.1.ppc64le",
"product": {
"name": "python314-python-multipart-0.0.32-1.1.ppc64le",
"product_id": "python314-python-multipart-0.0.32-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-python-multipart-0.0.32-1.1.s390x",
"product": {
"name": "python311-python-multipart-0.0.32-1.1.s390x",
"product_id": "python311-python-multipart-0.0.32-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-python-multipart-0.0.32-1.1.s390x",
"product": {
"name": "python313-python-multipart-0.0.32-1.1.s390x",
"product_id": "python313-python-multipart-0.0.32-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python314-python-multipart-0.0.32-1.1.s390x",
"product": {
"name": "python314-python-multipart-0.0.32-1.1.s390x",
"product_id": "python314-python-multipart-0.0.32-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-python-multipart-0.0.32-1.1.x86_64",
"product": {
"name": "python311-python-multipart-0.0.32-1.1.x86_64",
"product_id": "python311-python-multipart-0.0.32-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-python-multipart-0.0.32-1.1.x86_64",
"product": {
"name": "python313-python-multipart-0.0.32-1.1.x86_64",
"product_id": "python313-python-multipart-0.0.32-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python314-python-multipart-0.0.32-1.1.x86_64",
"product": {
"name": "python314-python-multipart-0.0.32-1.1.x86_64",
"product_id": "python314-python-multipart-0.0.32-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-python-multipart-0.0.32-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.aarch64"
},
"product_reference": "python311-python-multipart-0.0.32-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-python-multipart-0.0.32-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.ppc64le"
},
"product_reference": "python311-python-multipart-0.0.32-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-python-multipart-0.0.32-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.s390x"
},
"product_reference": "python311-python-multipart-0.0.32-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-python-multipart-0.0.32-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.x86_64"
},
"product_reference": "python311-python-multipart-0.0.32-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-python-multipart-0.0.32-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.aarch64"
},
"product_reference": "python313-python-multipart-0.0.32-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-python-multipart-0.0.32-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.ppc64le"
},
"product_reference": "python313-python-multipart-0.0.32-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-python-multipart-0.0.32-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.s390x"
},
"product_reference": "python313-python-multipart-0.0.32-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-python-multipart-0.0.32-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.x86_64"
},
"product_reference": "python313-python-multipart-0.0.32-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-python-multipart-0.0.32-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.aarch64"
},
"product_reference": "python314-python-multipart-0.0.32-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-python-multipart-0.0.32-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.ppc64le"
},
"product_reference": "python314-python-multipart-0.0.32-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-python-multipart-0.0.32-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.s390x"
},
"product_reference": "python314-python-multipart-0.0.32-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-python-multipart-0.0.32-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.x86_64"
},
"product_reference": "python314-python-multipart-0.0.32-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-53537",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-53537"
}
],
"notes": [
{
"category": "general",
"text": "Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset\u0027lang\u0027value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-53537",
"url": "https://www.suse.com/security/cve/CVE-2026-53537"
},
{
"category": "external",
"summary": "SUSE Bug 1268506 for CVE-2026-53537",
"url": "https://bugzilla.suse.com/1268506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-22T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2026-53537"
},
{
"cve": "CVE-2026-53538",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-53538"
}
],
"notes": [
{
"category": "general",
"text": "Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to \u0026. The WHATWG URL standard, modern browsers, and Python\u0027s urllib.parse (since the CVE-2021-23336 fix) treat only \u0026 as a separator. This creates a parser differential: the same bytes are tokenized into different fields than a WHATWG compliant intermediary would produce, allowing an attacker to smuggle extra form fields past an upstream body inspecting component. This vulnerability is fixed in 0.0.30.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-53538",
"url": "https://www.suse.com/security/cve/CVE-2026-53538"
},
{
"category": "external",
"summary": "SUSE Bug 1268496 for CVE-2026-53538",
"url": "https://bugzilla.suse.com/1268496"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-22T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2026-53538"
},
{
"cve": "CVE-2026-53540",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-53540"
}
],
"notes": [
{
"category": "general",
"text": "Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-53540",
"url": "https://www.suse.com/security/cve/CVE-2026-53540"
},
{
"category": "external",
"summary": "SUSE Bug 1268488 for CVE-2026-53540",
"url": "https://bugzilla.suse.com/1268488"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python311-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python313-python-multipart-0.0.32-1.1.x86_64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.aarch64",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.ppc64le",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.s390x",
"openSUSE Tumbleweed:python314-python-multipart-0.0.32-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-22T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2026-53540"
}
]
}
SUSE-SU-2026:22372-1
Vulnerability from csaf_suse - Published: 2026-06-26 07:58 - Updated: 2026-06-26 07:58| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch | — |
Vendor Fix
|
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch | — |
Vendor Fix
|
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-python-multipart",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-python-multipart fixes the following issues\n\n- CVE-2026-53537: multipart/form-data with extended parameters can lead to file or parameter smuggling (bsc#1268506).\n- CVE-2026-53538: urlencoded requests containing semicolons can lead to form field smuggling (bsc#1268496).\n- CVE-2026-53539: small crafted body can cause a denial of service (bsc#1268500).\n- CVE-2026-53540: crafted request buffers can lead to degrading availability (bsc#1268488).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-1088",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_22372-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:22372-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622372-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:22372-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-July/047767.html"
},
{
"category": "self",
"summary": "SUSE Bug 1268488",
"url": "https://bugzilla.suse.com/1268488"
},
{
"category": "self",
"summary": "SUSE Bug 1268496",
"url": "https://bugzilla.suse.com/1268496"
},
{
"category": "self",
"summary": "SUSE Bug 1268500",
"url": "https://bugzilla.suse.com/1268500"
},
{
"category": "self",
"summary": "SUSE Bug 1268506",
"url": "https://bugzilla.suse.com/1268506"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-53537 page",
"url": "https://www.suse.com/security/cve/CVE-2026-53537/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-53538 page",
"url": "https://www.suse.com/security/cve/CVE-2026-53538/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-53539 page",
"url": "https://www.suse.com/security/cve/CVE-2026-53539/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-53540 page",
"url": "https://www.suse.com/security/cve/CVE-2026-53540/"
}
],
"title": "Security update for python-python-multipart",
"tracking": {
"current_release_date": "2026-06-26T07:58:40Z",
"generator": {
"date": "2026-06-26T07:58:40Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:22372-1",
"initial_release_date": "2026-06-26T07:58:40Z",
"revision_history": [
{
"date": "2026-06-26T07:58:40Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-python-multipart-0.0.20-160000.5.1.noarch",
"product": {
"name": "python313-python-multipart-0.0.20-160000.5.1.noarch",
"product_id": "python313-python-multipart-0.0.20-160000.5.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-python-multipart-0.0.20-160000.5.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch"
},
"product_reference": "python313-python-multipart-0.0.20-160000.5.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-python-multipart-0.0.20-160000.5.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch"
},
"product_reference": "python313-python-multipart-0.0.20-160000.5.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-53537",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-53537"
}
],
"notes": [
{
"category": "general",
"text": "Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset\u0027lang\u0027value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-53537",
"url": "https://www.suse.com/security/cve/CVE-2026-53537"
},
{
"category": "external",
"summary": "SUSE Bug 1268506 for CVE-2026-53537",
"url": "https://bugzilla.suse.com/1268506"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-26T07:58:40Z",
"details": "low"
}
],
"title": "CVE-2026-53537"
},
{
"cve": "CVE-2026-53538",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-53538"
}
],
"notes": [
{
"category": "general",
"text": "Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to \u0026. The WHATWG URL standard, modern browsers, and Python\u0027s urllib.parse (since the CVE-2021-23336 fix) treat only \u0026 as a separator. This creates a parser differential: the same bytes are tokenized into different fields than a WHATWG compliant intermediary would produce, allowing an attacker to smuggle extra form fields past an upstream body inspecting component. This vulnerability is fixed in 0.0.30.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-53538",
"url": "https://www.suse.com/security/cve/CVE-2026-53538"
},
{
"category": "external",
"summary": "SUSE Bug 1268496 for CVE-2026-53538",
"url": "https://bugzilla.suse.com/1268496"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-26T07:58:40Z",
"details": "low"
}
],
"title": "CVE-2026-53538"
},
{
"cve": "CVE-2026-53539",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-53539"
}
],
"notes": [
{
"category": "general",
"text": "Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for \u0026, and only when no \u0026 existed anywhere ahead did it fall back to scanning for ;. For a body that uses ; as the separator and contains no \u0026, every field iteration performed a full failed \u0026 scan over the entire remaining buffer before locating the nearby ;. With N semicolon separated fields in a chunk of size B, this yields O(B^2) byte comparisons per chunk. An attacker can submit a small crafted body of the form a;a;a;... and cause the parser to spend seconds of CPU per request. A handful of concurrent requests can exhaust worker processes. This vulnerability is fixed in 0.0.30.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-53539",
"url": "https://www.suse.com/security/cve/CVE-2026-53539"
},
{
"category": "external",
"summary": "SUSE Bug 1268500 for CVE-2026-53539",
"url": "https://bugzilla.suse.com/1268500"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-26T07:58:40Z",
"details": "important"
}
],
"title": "CVE-2026-53539"
},
{
"cve": "CVE-2026-53540",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-53540"
}
],
"notes": [
{
"category": "general",
"text": "Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parse_form() did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks. This vulnerability is fixed in 0.0.31.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-53540",
"url": "https://www.suse.com/security/cve/CVE-2026-53540"
},
{
"category": "external",
"summary": "SUSE Bug 1268488 for CVE-2026-53540",
"url": "https://bugzilla.suse.com/1268488"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-python-multipart-0.0.20-160000.5.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-26T07:58:40Z",
"details": "low"
}
],
"title": "CVE-2026-53540"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.