CVE-2026-40347

Summary

Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted multipart/form-data requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

Affected Software

VendorProductVersion RangeStatus
Kludexpython-multipart< 0.0.26affected

Weaknesses

  • CWE-400: CWE-400: Uncontrolled Resource Consumption
  • CWE-834: CWE-834: Excessive Iteration

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References