CVE-2026-4044 is a path traversal vulnerability identified in projectsend, an open-source file sharing application, affecting versions up to r1945. The vulnerability exists in the /import-orphans.php file within the Delete Handler component, where the realpath function is used insecurely to process the files[] parameter. By manipulating this parameter, an attacker can traverse directories outside the intended scope, potentially accessing or deleting arbitrary files on the server. The vulnerability is exploitable remotely without requiring user interaction but does require high privileges (PR:H) on the system, which suggests that the attacker must have some level of authenticated access or elevated rights to exploit it. The CVSS 4.0 vector indicates no user interaction (UI:N), no scope change (S:U), and no confidentiality or integrity impact (VC:N, VI:L, VA:L), resulting in a medium severity score of 5.1. The vendor was contacted early but did not respond or release a patch, and a public exploit is now available, increasing the risk of exploitation. No known exploits in the wild have been reported yet. This vulnerability can lead to unauthorized file access or deletion, potentially disrupting service or exposing sensitive data depending on the server configuration and file permissions.

The primary impact of CVE-2026-4044 is unauthorized access or deletion of files on servers running vulnerable versions of projectsend. This can lead to partial loss of data integrity and availability, especially if critical files are deleted or modified. Confidentiality impact is limited but possible if sensitive files are accessible via path traversal. Since exploitation requires high privileges, the threat is more significant in environments where attackers have gained elevated access or where internal users are malicious. Organizations relying on projectsend for secure file sharing may face operational disruptions, data leakage, or compliance violations if exploited. The lack of vendor response and public exploit availability increase the risk of exploitation attempts. This vulnerability could be leveraged as part of a larger attack chain to escalate privileges or move laterally within a network.

1. Immediately restrict access to the /import-orphans.php endpoint to trusted administrators only, using network-level controls such as IP whitelisting or VPN access. 2. Implement strict input validation and sanitization on the files[] parameter to prevent directory traversal sequences (e.g., ../). 3. Employ web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting projectsend. 4. Monitor server logs for suspicious requests involving the files[] parameter or unusual file access patterns. 5. If possible, upgrade to a patched version once the vendor releases one or consider applying community or third-party patches that address this vulnerability. 6. Limit file system permissions for the web server user to the minimum necessary, preventing access to sensitive directories outside the intended scope. 7. Conduct regular security audits and penetration tests focusing on file handling components. 8. Educate administrators about the risk and signs of exploitation to enable rapid incident response.