What is the CVSS score of CVE-2026-8162?

CVE-2026-8162 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of multiparty are affected by CVE-2026-8162?

CVE-2026-8162 affects multiparty Node.js parser versions ≤4.2.3, enabling unauthenticated remote denial of service attacks that crash application services through malformed file upload requests.. A patch is available.

multiparty CVE-2026-8162

EUVD-2026-29441 HIGH

Improper Handling of Exceptional Conditions (CWE-755)

2026-05-12 openjs

GHSA-xh3c-6gcq-g4rv

Denial Of Service

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

May 12, 2026 - 10:05 vuln.today

CVE Published

May 12, 2026 - 09:05 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

966 npm packages depend on multiparty (514 direct, 462 indirect)

Ecosystem-wide dependent count for version 4.3.0.

DescriptionNVD

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

AnalysisAI

Denial of service crashes multiparty Node.js parser versions ≤4.2.3 when processing malformed percent-encoded filename* parameters in multipart/form-data uploads. Attackers can remotely crash any Node.js service using vulnerable multiparty versions by sending a single crafted HTTP request with no authentication required (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). …

RemediationAI

Within 24 hours: inventory all Node.js applications and dependencies using multiparty ≤4.2.3 via package-lock.json and npm audit scanning. Within 7 days: upgrade multiparty to version 4.3.0 or later across all affected applications and redeploy. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-8162 vulnerability details – vuln.today

Back

multiparty CVE-2026-8162

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code