High severity7.5NVD Advisory· Published May 13, 2026· Updated May 14, 2026
CVE-2026-42561
CVE-2026-42561
Description
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating the header block or a single very large header value, causing excessive CPU work before request rejection or completion. This vulnerability is fixed in 0.0.27.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
python-multipartPyPI | < 0.0.27 | 0.0.27 |
Affected products
18- osv-coords18 versionspkg:apk/chainguard/airflow-3pkg:apk/chainguard/airflow-core-3pkg:apk/chainguard/keep-apipkg:apk/chainguard/keep-api-fipspkg:apk/chainguard/litellmpkg:apk/chainguard/lmcache-cuda-12.8pkg:apk/chainguard/reflexpkg:apk/chainguard/semgreppkg:apk/chainguard/synapsepkg:apk/chainguard/wazuh-manager-frameworkpkg:apk/chainguard/wazuh-manager-framework-fipspkg:apk/wolfi/airflow-3pkg:apk/wolfi/reflexpkg:apk/wolfi/semgreppkg:pypi/python-multipartpkg:rpm/opensuse/python-python-multipart&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-python-multipart&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-python-multipart&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 3.2.1-r3+ 17 more
- (no CPE)range: < 3.2.1-r3
- (no CPE)range: < 3.2.1-r1
- (no CPE)range: < 0.51.0-r6
- (no CPE)range: < 0.51.0-r6
- (no CPE)range: < 1.83.14.0-r1
- (no CPE)range: < 0.4.4-r1
- (no CPE)range: < 0.9.3-r0
- (no CPE)range: < 1.162.0-r0
- (no CPE)range: < 1.151.0-r4
- (no CPE)range: < 4.14.4-r6
- (no CPE)range: < 4.14.5-r0
- (no CPE)range: < 3.2.1-r3
- (no CPE)range: < 0.9.3-r0
- (no CPE)range: < 1.162.0-r0
- (no CPE)range: < 0.0.27
- (no CPE)range: < 0.0.28-1.1
- (no CPE)range: < 0.0.20-160000.4.1
- (no CPE)range: < 0.0.20-160000.4.1
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.