CVE-2026-53538: python-multipart: Semicolon treated as querystring field separator enables parameter smuggling

June 15, 2026

QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python’s urllib.parse (since the CVE-2021-23336 fix) treat only & as a separator. This creates a parser differential: the same bytes are tokenized into different fields than a WHATWG compliant intermediary would produce, allowing an attacker to smuggle extra form fields past an upstream body inspecting component.

References

github.com/Kludex/python-multipart/security/advisories/GHSA-6jv3-5f52-599m
github.com/advisories/GHSA-6jv3-5f52-599m
nvd.nist.gov/vuln/detail/CVE-2026-53538

Code Behaviors & Features

Detect and mitigate CVE-2026-53538 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →