Browse all 13 CVE security advisories affecting expressjs. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Express.js serves as a minimal and flexible Node.js web application framework for building server-side applications and APIs. Historically, it has been susceptible to common web vulnerabilities including Remote Code Execution (RCE), Cross-Site Scripting (XSS), and privilege escalation, often stemming from middleware misconfigurations or input validation flaws. The framework's extensive middleware ecosystem has introduced security challenges, with 13 CVEs documented to date. Notable incidents include the 2018 "prototype pollution" vulnerability affecting multiple packages, demonstrating how core functionality can be compromised. While widely adopted, developers must carefully implement security measures to mitigate risks associated with its lightweight architecture and extensive plugin ecosystem.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-3520 | Multer vulnerable to Denial of Service via uncontrolled recursion — multerCWE-674 | 7.5 | - | 2026-03-04 |
| CVE-2026-3304 | Multer vulnerable to Denial of Service via incomplete cleanup — multerCWE-459 | 7.5 | - | 2026-02-27 |
| CVE-2026-2359 | Multer vulnerable to Denial of Service via resource exhaustion — multerCWE-772 | 7.5 | - | 2026-02-27 |
| CVE-2025-7338 | Multer vulnerable to Denial of Service via unhandled exception from malformed request — multerCWE-248 | 7.5 | High | 2025-07-17 |
| CVE-2025-48997 | Multer vulnerable to Denial of Service via unhandled exception — multerCWE-248 | 7.5 | - | 2025-06-03 |
| CVE-2025-47944 | Multer vulnerable to Denial of Service from maliciously crafted requests — multerCWE-248 | 7.5 | High | 2025-05-19 |
| CVE-2025-47935 | Multer vulnerable to Denial of Service via memory leaks from unclosed streams — multerCWE-401 | 7.5 | High | 2025-05-19 |
This page lists every published CVE security advisory associated with expressjs. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.