CVE-2026-8162

High

Published: 12 May 2026

Published

12 May 2026

Modified

12 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0004 12.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-8162 is a high-severity Improper Handling of Exceptional Conditions (CWE-755) vulnerability in Openjsf (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AU-5 Response to Audit Logging Process Failures

addresses: CWE-755

Provides defined handling (alert and additional actions) for the exceptional condition of audit logging failure.

CP-12 Safe Mode

addresses: CWE-755

Supplies a concrete handling action (safe mode) for exceptional conditions, mitigating risks from improper or absent handling that could allow continued attacks.

CP-3 Contingency Training

addresses: CWE-755

By preparing users for contingency scenarios, the control promotes proper handling of exceptional conditions instead of default or unsafe behaviors.

CP-5 Contingency Plan Update

addresses: CWE-755

An updated contingency plan defines current actions for exceptional conditions, reducing the window for attackers to exploit improper handling leading to system failure.

IR-1 Policy and Procedures

addresses: CWE-755

Procedures ensure proper handling of exceptional conditions to support effective incident response.

IR-3 Incident Response Testing

addresses: CWE-755

Incident response testing confirms proper handling of exceptional conditions to limit exploit impact.

IR-7 Incident Response Assistance

addresses: CWE-755

Gives users guidance on incident handling, reducing improper handling of exceptional conditions that could stem from exploited weaknesses.

SC-24 Fail in Known State

addresses: CWE-755

Enforces structured response to exceptional conditions so the system cannot remain in an unsafe state.

NVD Description

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting…

URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-755

Affected Products

Openjsf

—

inferred from references and description; NVD did not file a CPE for this CVE

References

https://cna.openjsf.org/security-advisories.html
ce714d77-add3-4f53-aff5-83d477b104bb
https://github.com/pillarjs/multiparty/security/advisories/GHSA-xh3c-6gcq-g4rv
ce714d77-add3-4f53-aff5-83d477b104bb