DEBIAN-CVE-2026-28356

DEBIAN-CVE-2026-28356 PUBLISHED CVSS 7.5 HIGH

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.

Risk Scores

CVSS 3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions

Debian:14	multipart	1.3.0-3, 1.2.1-2, 0
Debian	multipart
Debian:13	multipart	0, 1.2.1-2, 0

Timeline

Mar 12, 2026 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-28356 advisory

Open in Interactive Console →