The 'multipart' python library got an independent security audit and I only know about that because they found something -> CVE-2026-28356
This is great, actually! Someone looked into it so thoroughly that they found an obscure single-character issue in a regular expression ... and didn't find anything else! Which means I can …
A while ago I found CVE-2024-47874 in starlette (and FastAPI). The same issue is also present in litestar and I repotted that as CVE-2024-52581 (CVSSv4 8.7). The reaction time from the team was very quick this time and a fix was published in less than a week. A new …
Werkzeug is a Web Server Gateway Interface (WSGI)
library used to develop python web applications or frameworks. Applications using
werkzeug.formparser.MultiPartParser to parse multipart/form-data requests (e.g. all
flask and quart applications) were vulnerable to resource exhaustion (denial of
service) attacks. A specifically crafted form submission request could …
I'm finally allowed to speak about this nice little DoS vulnerability I found in starlette (and FastAPI).
The FastAPI devs published an update 3 days before the security release of Starlette that widened …