Field Separator Handling Issue in Python-Multipart by Kludex
CVE-2026-53538

3.7LOW

Key Information:

Vendor: Kludex
Status: Python-multipart
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-53538?

The Python-Multipart library, used for streaming multipart parsing in Python, has a vulnerability where the QuerystringParser improperly treats ';' as a field separator in application/x-www-form-urlencoded data. This deviates from the expected behavior established by the WHATWG URL standard and impacts the security of data handling. This discrepancy allows attackers to potentially smuggle additional form fields past security checks of components that inspect the request body. This issue is resolved in version 0.0.30 of the library.

Affected Version(s)

python-multipart < 0.0.30

References

https://github.com/Kludex/python-multipart/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 9, 2026

CVE-2026-53538 Data

JSON