Denial of Service Vulnerability in Multiparty by PillarJS
CVE-2026-8162

7.5HIGH

Key Information:

Vendor: Multiparty
Status: Multiparty
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-8162?

Versions of the Multiparty package up to 4.2.3 are susceptible to denial of service vulnerabilities due to improperly handled multipart/form-data requests. Specifically, the failure to catch exceptions when processing malformed percent-encoded filename parameters results in uncaught exceptions that can crash the server process. Any application or service that accepts multipart uploads using the affected versions is at risk. Users are advised to upgrade to Multiparty version 4.3.0 or later to mitigate this risk, as there are no effective workarounds.

Affected Version(s)

multiparty 0 <= 4.2.3

multiparty 4.3.0

References

https://github.com/pillarjs/multiparty/security/advisorie...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 8, 2026

Credit

Byambadalai Sumiya

Blake Embrey

Ulises Gascón

CVE-2026-8162 Data

JSON