Linux Distros Unpatched Vulnerability : CVE-2026-33033

🗓️ 07 Apr 2026 00:00:00Reported by TenableType

Linux host vulnerable to CVE-2026-33033 from unpatched MultiPartParser; base64 uploads degrade.

Reporter	Title	Published	Views	Family All 76
GithubExploit	Exploit for CVE-2026-33033	10 Apr 202602:04	–	githubexploit
IBM Security Bulletins	Security Bulletin: Cross-site scripting, authentication bypass by spoofing, and other vulnerabilities might affect IBM Storage Defender - Resiliency Service	18 May 202616:41	–	ibm
ATTACKERKB	CVE-2026-33033	7 Apr 202614:22	–	attackerkb
AlpineLinux	CVE-2026-33033	7 Apr 202614:22	–	alpinelinux
Chainguard	CVE-2026-33033 vulnerabilities	10 Apr 202602:13	–	cgr
Circl	CVE-2026-33033	8 Apr 202606:15	–	circl
CNNVD	Django 安全漏洞	7 Apr 202600:00	–	cnnvd
CVE	CVE-2026-33033	7 Apr 202614:22	–	cve
Cvelist	CVE-2026-33033 Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload	7 Apr 202614:22	–	cvelist
Debian CVE	CVE-2026-33033	7 Apr 202614:22	–	debiancve

Source	Link
security-tracker	www.security-tracker.debian.org/tracker/CVE-2026-33033
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(305221);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/19");

  script_cve_id("CVE-2026-33033");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-33033");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser`
    allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-
    Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x,
    4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon
    for reporting this issue. (CVE-2026-33033)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-33033");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-33033");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/04/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:13.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:python-django");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Debian Linux-11", "Host/OS/Debian Linux-12", "Host/OS/Debian Linux-13");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-11": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "11",
        "pkgs": [
          {"reference": "python-django-doc"},
          {"reference": "python3-django"}
        ]
      }
    ]
  },
  "Debian Linux-12": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "12",
        "pkgs": [
          {"reference": "python-django-doc"},
          {"reference": "python3-django"}
        ]
      }
    ]
  },
  "Debian Linux-13": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "13",
        "pkgs": [
          {"reference": "python-django-doc"},
          {"reference": "python3-django"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

19 May 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.16.5

EPSS0.00049

SSVC