Skip to content

CVE-2026-53538

is CVE-2026-53538real, exploitable, or a false positive? Here's the community verdict.

☆ Watch
Low · CVSS 3.7EPSS 0.2%CWE-436

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse (since the CVE-2021-23336 fix) treat only & as a separator. This creates a parser differential: the same bytes are tokenized into different fields than a WHATWG compliant intermediary would produce, allowing an attacker to smuggle extra form fields past an upstream body inspecting component. This vulnerability is fixed in 0.0.30.

References

NVD MITRE CVE.org

Published

Embed this verdict
TruePositive verdict for CVE-2026-53538
Markdown
[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2026-53538/badge.svg)](https://www.truepositive.app/cve/CVE-2026-53538)
HTML
<a href="https://www.truepositive.app/cve/CVE-2026-53538"><img src="https://www.truepositive.app/cve/CVE-2026-53538/badge.svg" alt="TruePositive verdict for CVE-2026-53538"></a>

Live badge that updates automatically as the community verdict changes.

Community ground truth

In your experience, is this finding real and exploitable?

0 verdicts
Not a real issue

No account needed. Anonymous verdicts post as an unverified signal. Log in to make yours verified and earn reputation.

Field notes & remediation

Verdicts are the quick signal. Notes are the evidence and fixes behind them.

No notes yet. Be the first to share what you saw, or a fix that worked.

    Add a field note or remediationoptional
    Note type

    What are you adding?

    Markdown supported · minimum 20 characters.