High severity7.5NVD Advisory· Published Mar 12, 2026· Updated Apr 16, 2026

CVE-2026-28356

Description

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
multipartPyPI	>= 1.3.0, < 1.3.1	1.3.1
multipartPyPI	< 1.2.2	1.2.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-p2m9-wcp5-6qw3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-28356ghsaADVISORY
github.com/defnull/multipart/security/advisories/GHSA-p2m9-wcp5-6qw3nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000