CVE-2026-40347 MEDIUM

CVE-2026-40347: Python-Multipart affected by Denial of Service via large multipart preamble or epilogue data

Vendor Kludex

Product python-multipart

Weakness CWE-400

Published April 17, 2026

Last update April 20, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

Description

Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

Key dates

Disclosure timeline

April 17, 2026 CVE published

April 20, 2026 Record updated