CVE Vulnerabilities

CVE-2026-53538

Interpretation Conflict

Published: Jun 22, 2026 | Modified: Jun 26, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Pythons urllib.parse (since the CVE-2021-23336 fix) treat only & as a separator. This creates a parser differential: the same bytes are tokenized into different fields than a WHATWG compliant intermediary would produce, allowing an attacker to smuggle extra form fields past an upstream body inspecting component. This vulnerability is fixed in 0.0.30.

Weakness

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B’s state.

Affected Software

NameVendorStart VersionEnd Version
Python-multipartFastapiexpert*0.0.30 (excluding)
Python-multipartUbuntuquesting*

References