Vulnerability Details CVE-2026-53537
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parse_options_header parsed Content-Disposition (and Content-Type) headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax (filename*=charset'lang'value, name*=..., and the filename*0/filename*1 continuation form) is decoded and surfaced under the bare filename/name key, and overrides the plain parameter when both are present. RFC 7578 §4.2 explicitly forbids the filename* form in multipart/form-data. Components that follow RFC 7578, or that do not implement RFC 2231/5987 decoding for multipart/form-data (WAFs, proxies, gateways), may interpret such a header differently. An attacker can exploit that difference to smuggle a different field name or filename past an upstream inspector to the backend. This vulnerability is fixed in 0.0.30.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 7.4%
CVSS Severity
CVSS v3 Score 3.7
Products affected by CVE-2026-53537
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.1
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.10
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.11
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.12
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.13
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.14
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.15
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.16
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.17
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.18
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.19
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.2
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.20
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.21
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.22
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.23
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.24
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.25
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.26
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.27
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.28
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.29
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.3
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.4
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.5
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.6
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.7
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.8
-
cpe:2.3:a:fastapiexpert:python-multipart:0.0.9