CVE-2026-33033

Description

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.

How to fix CVE-2026-33033

To remediate CVE-2026-33033, upgrade the affected package to a fixed version below.

• —upgrade to 4.2.30 or later
• —no fix listed
• —upgrade to 6.0.4 or later
• —upgrade to 4.2.30 or later

Is CVE-2026-33033 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• >= 4.2.0, < 4.2.30, >= 5.2.0, < 5.2.13, >= 6.0.0, < 6.0.4
• from 0
• >= 6.0, < 6.0.4
• >= 4.2, < 4.2.30, >= 5.2, < 5.2.13, >= 6.0, < 6.0.4

CVSS scores

References (10)

• ADVISORYgithub.com/advisories/GHSA-5mf9-h53q-7mhq
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-33033
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-33033
• PATCHdocs.djangoproject.com/en/dev/releases/security/
• PATCH