Cyber Posture

CVE-2026-8161

High

Published: 12 May 2026

Published
12 May 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 12.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-8161 is a high-severity Uncaught Exception (CWE-248) vulnerability in Openjsf (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-24 Fail in Known State
addresses: CWE-248

Prevents abrupt termination from uncaught exceptions by requiring a defined, preserved-state failure mode.

SI-17 Fail-safe Procedures
addresses: CWE-248

Requires pre-defined safe responses for uncaught exceptions so they do not result in undefined or insecure program termination.

NVD Description

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on…

more

the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-248CWE-1321

Affected Products

Openjsf
inferred from references and description; NVD did not file a CPE for this CVE

References