CVE-2026-8161

🗓️ 12 May 2026 08:50:37Reported by openjsType

cve🔗 web.nvd.nist.gov👁 49 Views🌐 WEB

Multiparty up to 4.2.3 is vulnerable to Denial of Service via prototype pollution, causing an uncaught TypeError.

Reporter	Title	Published	Views	Family All 20
GithubExploit	Exploit for CVE-2026-8161	11 May 202619:55	–	githubexploit
ATTACKERKB	CVE-2026-8161	12 May 202608:50	–	attackerkb
Circl	CVE-2026-8161	11 May 202623:00	–	circl
CNNVD	multiparty 安全漏洞	12 May 202600:00	–	cnnvd
Cvelist	CVE-2026-8161 multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception	12 May 202608:50	–	cvelist
Debian CVE	CVE-2026-8161	12 May 202608:50	–	debiancve
EUVD	EUVD-2026-29440	18 May 202617:35	–	euvd
Github Security Blog	multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception	18 May 202617:35	–	github
NVD	CVE-2026-8161	12 May 202610:16	–	nvd
OSV	DEBIAN-CVE-2026-8161	12 May 202610:16	–	osv

NVD

Node

pillarjs multipartyRange<4.3.0node.js

[
  {
    "vendor": "multiparty",
    "product": "multiparty",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThanOrEqual": "4.2.3",
        "versionType": "semver"
      },
      {
        "status": "unaffected",
        "version": "4.3.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected",
    "packageURL": "pkg:npm/multiparty"
  }
]

Source	Link
github	www.github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956
cna	www.cna.openjsf.org/security-advisories.html

Parameter	Position	Path	Description	CWE
field name that can collide with inherited Object.prototype properties (e.g., __proto__)	request body	/api/submit	Multiparty 4.2.3 vulnerability where a crafted multipart field name can cause push() to be invoked on an inherited prototype value, leading to an uncaught exception and potential denial of service.	CWE-1321, CWE-248

17 Jun 2026 11:03Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.17.5

EPSS0.00473

SSVC