What is CVE-2026-5038?

CVE-2026-5038 is a medium-severity vulnerability in Expressjs Multer, classified under Incomplete Cleanup. CVSS score: 5.3/10. Published 2026-06-15.

How severe is CVE-2026-5038?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Vulnerability in Expressjs Multer

CVE-2026-5038

Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() cal…

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

Affected products

Expressjs Multer — versions 3.0.0
Multer — versions 2.0.0-alpha.1, 2.2.0, 3.0.0-alpha.1

Weakness classification (CWE)

CWE-459 — Incomplete Cleanup

References

ce714d77-add3-4f53-aff5-83d477b104bb (Vendor Advisory)
ce714d77-add3-4f53-aff5-83d477b104bb (Vendor Advisory)

Frequently asked questions

What is CVE-2026-5038?: CVE-2026-5038 is a medium-severity vulnerability in Expressjs Multer, classified under Incomplete Cleanup. CVSS score: 5.3/10. Published 2026-06-15.
How severe is CVE-2026-5038?: Medium severity. CVSS v3 base score is 5.3 out of 10.