CVE-2026-28356

Publication date 12 March 2026

Last updated 2 June 2026

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

7.5 · High

Score breakdown

Description

multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.

Status

Package Ubuntu Release Status
multipart 26.04 LTS resolute
Fixed 1.3.0-3ubuntu0.1
25.10 questing
Fixed 1.2.1-2+deb13u1build0.25.10.1
24.04 LTS noble Not in release
22.04 LTS jammy Not in release

Severity score breakdown

CVSS version: CVSS v3.0

Base score 7.5 · High

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Related Ubuntu Security Notices (USN)

Other references

Access our resources on patching vulnerabilities