Django has potential DoS via MultiPartParser through crafted multipart uploads

GHSA-5mf9-h53q-7mhq · BIT-django-2026-33033 · CVE-2026-33033 · PYSEC-2026-48

Published Apr 7, 2026 · Modified Jun 5, 2026

Description

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. MultiPartParser allows remote attackers to degrade performance by submitting multipart uploads with Content-Transfer-Encoding: base64 including excessive whitespace.

Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Seokchan Yoon for reporting this issue.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33033
WEB https://docs.djangoproject.com/en/dev/releases/security
PACKAGE https://github.com/django/django
WEB https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2026-48.yaml
WEB https://groups.google.com/g/django-announce
WEB https://www.djangoproject.com/weblog/2026/apr/07/security-releases

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes