CVE-2026-3304

UNKNOWN 0.0

Multer vulnerable to Denial of Service via incomplete cleanup

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.

CWE	CWE-459
Vendor	expressjs
Product	multer
Published	Feb 27, 2026
Last Updated	Feb 27, 2026

Stay Ahead of the Next One

Get instant alerts for expressjs multer

Be the first to know when new unknown vulnerabilities affecting expressjs multer are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

expressjs / multer

0.0.0 < 2.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p cve.org: https://www.cve.org/CVERecord?id=CVE-2026-3304 github.com: https://github.com/expressjs/multer/commit/739919097dde3921ec31b930e4b9025036fa74ee cna.openjsf.org: https://cna.openjsf.org/security-advisories.html