Lucene search
K

15 matches found

NVD
NVD
added 2026/06/22 6:16 p.m.16 views

CVE-2026-53538

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only...

3.7CVSS0.00176EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 4:56 p.m.38 views

CVE-2026-53538 Python-Multipart: Semicolon treated as querystring field separator enables parameter smuggling

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only...

3.7CVSS0.00176EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/06/22 4:56 p.m.5 views

CVE-2026-53538

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only...

3.7CVSS5.9AI score0.00176EPSS
Exploits0
Cvelist
Cvelist
added 2026/06/22 4:55 p.m.31 views

CVE-2026-53539 Python-Multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead...

7.5CVSS0.00263EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.14 views

PT-2026-49570

Name of the Vulnerable Software and Affected Versions Python-Multipart versions prior to 0.0.30 Description The QuerystringParser treated the semicolon ; as a field separator in application/x-www-form-urlencoded bodies, in addition to the ampersand &. This deviates from the WHATWG URL standard,...

3.7CVSS6.8AI score0.00176EPSS
Exploits0References16
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.12 views

PT-2026-49571

Name of the Vulnerable Software and Affected Versions python-multipart versions prior to 0.0.30 Description A quadratic complexity issue exists when parsing application/x-www-form-urlencoded bodies. The QuerystringParser performs a two-step lookup for field separators, scanning the entire remaini...

7.5CVSS6AI score0.00263EPSS
Exploits0References15
CNNVD
CNNVD
added 2025/09/25 12:0 a.m.4 views

Rack 安全漏洞

Rack is a modular Ruby web server interface open-sourced by Rack. A security vulnerability exists in Rack versions prior to 2.2.18, which stems from the fact that Rack::QueryParser enforces the paramslimit restriction only on parameters separated by &, but still accepts both & and ; as separators...

7.5CVSS6.7AI score0.00535EPSS
Exploits0References3
OSV
OSV
added 2025/08/11 1:51 p.m.7 views

BIT-LIBPYTHON-2021-23336 Web Cache Poisoning

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parseqsl and urllib.parse.parseqs by using a vector called parameter cloaking. When the attacker can...

5.9CVSS6.6AI score0.35963EPSS
Exploits1References38
OSV
OSV
added 2021/02/15 1:15 p.m.4 views

DEBIAN-CVE-2021-23336

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parseqsl and urllib.parse.parseqs by using a vector called parameter cloaking. When the attacker can...

5.9CVSS7.3AI score0.35963EPSS
Exploits1References1
OSV
OSV
added 2021/02/15 1:15 p.m.3 views

ALPINE-CVE-2021-23336

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parseqsl and urllib.parse.parseqs by using a vector called parameter cloaking. When the attacker can...

5.9CVSS6.9AI score0.35963EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2021/02/15 12:15 p.m.2 views

CVE-2021-23336 Web Cache Poisoning

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parseqsl and urllib.parse.parseqs by using a vector called parameter cloaking. When the attacker can...

5.9CVSS6.5AI score0.35963EPSS
Exploits1References37
OSV
OSV
added 2021/02/15 12:0 a.m.24 views

PSF-2021-1 urllib parse_qsl(): Web cache poisoning - semicolon as a query args separator

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parseqsl and urllib.parse.parseqs by using a vector called parameter cloaking. When the attacker can...

5.9CVSS7.7AI score0.35963EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2021/02/13 12:0 a.m.15 views

PT-2021-3621

Name of the Vulnerable Software and Affected Versions python/cpython versions 0 through 3.6.13 python/cpython versions 3.7.0 through 3.7.10 python/cpython versions 3.8.0 through 3.8.8 python/cpython versions 3.9.0 through 3.9.2 Description The issue is related to Web Cache Poisoning via...

5.9CVSS6.8AI score0.35963EPSS
Exploits1References351
Debian CVE
Debian CVE
added 2021/01/18 11:15 a.m.21 views

CVE-2020-28473

The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon ;, they can cause a difference in the interpretation of the request between the proxy running with...

6.8CVSS6.4AI score0.01837EPSS
Exploits1
OpenVAS
OpenVAS
added 2008/10/24 12:0 a.m.46 views

HTTP NIDS evasion

This plugin configures OpenVAS for NIDS evasion see the SPDX-FileCopyrightText: 2008 Michel Arboi / Renaud Deraison Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only The HTTP IDS evasion...

7.1AI score
Exploits0References1
Rows per page
Query Builder