Python
CVE-2026-28356
HIGH
GHSA-p2m9-wcp5-6qw3
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5Blast Radius
ecosystem impact- 1 pypi packages depend on multipart (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.3.0.
DescriptionGitHub Advisory
multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.
AnalysisAI
High severity vulnerability in Python multipart. The parse_options_header() function in multipart.py uses a regular expression with an *ambiguous alternation*, which can cause *exponential backtracking (ReDoS)* when parsing maliciously crafted HTTP or multipart segment headers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions — remote unauthenticated exploitation against any web application using multipart library versions prior to 1.2.2, 1.3.1, or 1.4.0-dev that processes multipart/form-data requests or parses HTTP headers containing Content-Disposition or similar headers via parse_options_header(). Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Severity: High (7.5/10.0) No EPSS data available yet HIGH RISK: Remotely exploitable without authentication — internet-facing instances are directly vulnerable Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | This vulnerability can be exploited remotely without authentication or user interaction, making it suitable for automated scanning and mass exploitation. An attacker can cause service disruption, rendering the application unavailable to legitimate users. |
| Remediation | Security advisories: - https://github.com/defnull/multipart/security/advisories/GHSA-p2m9-wcp5-6qw3 Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all applications and services using the Python multipart library and assess exposure to untrusted HTTP multipart requests. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in
Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co
Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U
Vendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today