{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40347", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T22:50:01.358Z", "datePublished": "2026-04-17T23:56:50.777Z", "dateUpdated": "2026-04-17T23:56:50.777Z"}, "containers": {"cna": {"title": "Python-Multipart affected by Denial of Service via large multipart preamble or epilogue data", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-834", "lang": "en", "description": "CWE-834: Excessive Iteration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-mj87-hwqh-73pj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-mj87-hwqh-73pj"}, {"name": "https://github.com/Kludex/python-multipart/releases/tag/0.0.26", "tags": ["x_refsource_MISC"], "url": "https://github.com/Kludex/python-multipart/releases/tag/0.0.26"}], "affected": [{"vendor": "Kludex", "product": "python-multipart", "versions": [{"version": "< 0.0.26", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T23:56:50.777Z"}, "descriptions": [{"lang": "en", "value": "Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary."}], "source": {"advisory": "GHSA-mj87-hwqh-73pj", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary."}], "id": "CVE-2026-40347", "lastModified": "2026-04-18T00:16:38.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T00:16:38.520", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Kludex/python-multipart/releases/tag/0.0.26"}, {"source": "security-advisories@github.com", "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-mj87-hwqh-73pj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-834"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.0.26)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "python-multipart", "source": "cna", "vendor": "Kludex"}, "product": "python-multipart", "vendor": "kludex"}], "analysis": {"en": {"generated_at": "2026-04-18T08:44:12.467385+00:00", "value": {"mitigation_remediation": ["Upgrade to python\u2011multipart 0.0.26 or later, which skips unnecessary boundary candidates and discards epilogue data promptly", "If upgrading immediately is not possible, configure the application or its reverse proxy to reject or throttle requests with excessively large preamble or epilogue sizes", "Implement additional input validation or size limits on multipart parsing to guard against abusive request constructs"], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The issue affects the Kludex Python-Multipart package, specifically all releases older than 0.0.26. Systems that rely on this package to process file uploads or form submissions are potentially exposed if they accept large multipart boundaries without appropriate size controls.", "description_and_impact": "Python-Multipart is a streaming multipart parser used in Python web applications. The vulnerability allows an attacker to create a multipart/form\u2011data request that contains a very large preamble or epilogue section. When parsed, the library consumes excessive resources before reaching the actual file data, potentially exhausting server memory or CPU and causing service interruption. The weakness is a resource limit bypass, matching CWE\u2011400 and an improper handling of input data, CWE\u2011834.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. No EPSS score is available, so the current exploit probability is unknown, but the absence from the CISA KEV catalog suggests no public exploits are documented. Likely attack vectors involve a client sending a crafted HTTP request to a vulnerable server; no authentication or additional privileges are required. The impact is limited to service availability for the affected application, but repeated or high\u2011volume attacks could affect broader infrastructure reliability."}}}}, "created": "2026-04-18T01:30:15.918479+00:00", "updated": "2026-04-18T08:45:41.388407+00:00", "vendors": ["kludex", "kludex$PRODUCT$python-multipart"]}