CVE-2026-41180: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in psi-4ward psitransfer
CVE-2026-41180 is a path traversal vulnerability in psi-4ward's psitransfer versions prior to 2. 4. 3. The issue arises because the upload PATCH flow validates the request path using an encoded path but writes files using a decoded parameter, allowing an unauthenticated attacker to create malicious JavaScript files in the application root. These attacker-controlled files can then be executed upon the next process restart, leading to potential full compromise. A patch fixing this vulnerability was released in version 2. 4. 3.
AI Analysis
Technical Summary
PsiTransfer before version 2.4.3 improperly limits pathname traversal in its upload PATCH flow at the `/files/:uploadId` endpoint. The validation uses the encoded request path, but the file write operation uses the decoded uploadId parameter, enabling an attacker to traverse directories and write files outside the intended directory. In deployments using a custom upload directory with a basename prefix matching a startup-loaded JavaScript path (e.g., 'conf'), an unauthenticated attacker can create files like `config.<NODE_ENV>.js` in the application root. These files are executed on process restart, allowing remote code execution. Version 2.4.3 contains a patch that addresses this issue.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to write arbitrary files into the application root directory, specifically attacker-controlled JavaScript files that are executed on the next process restart. This leads to remote code execution with the privileges of the application, potentially compromising confidentiality, integrity, and availability of the system. The CVSS score of 7.5 reflects high impact with network attack vector, high confidentiality, integrity, and availability impacts, but requiring user interaction and high attack complexity.
Mitigation Recommendations
Version 2.4.3 of psitransfer contains a patch that fixes this path traversal vulnerability. Users should upgrade to version 2.4.3 or later to remediate the issue. Since this is a self-hosted application, patching is the primary mitigation. No vendor advisory content contradicts this; therefore, upgrading is strongly recommended.
CVE-2026-41180: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in psi-4ward psitransfer
Description
CVE-2026-41180 is a path traversal vulnerability in psi-4ward's psitransfer versions prior to 2. 4. 3. The issue arises because the upload PATCH flow validates the request path using an encoded path but writes files using a decoded parameter, allowing an unauthenticated attacker to create malicious JavaScript files in the application root. These attacker-controlled files can then be executed upon the next process restart, leading to potential full compromise. A patch fixing this vulnerability was released in version 2. 4. 3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PsiTransfer before version 2.4.3 improperly limits pathname traversal in its upload PATCH flow at the `/files/:uploadId` endpoint. The validation uses the encoded request path, but the file write operation uses the decoded uploadId parameter, enabling an attacker to traverse directories and write files outside the intended directory. In deployments using a custom upload directory with a basename prefix matching a startup-loaded JavaScript path (e.g., 'conf'), an unauthenticated attacker can create files like `config.<NODE_ENV>.js` in the application root. These files are executed on process restart, allowing remote code execution. Version 2.4.3 contains a patch that addresses this issue.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to write arbitrary files into the application root directory, specifically attacker-controlled JavaScript files that are executed on the next process restart. This leads to remote code execution with the privileges of the application, potentially compromising confidentiality, integrity, and availability of the system. The CVSS score of 7.5 reflects high impact with network attack vector, high confidentiality, integrity, and availability impacts, but requiring user interaction and high attack complexity.
Mitigation Recommendations
Version 2.4.3 of psitransfer contains a patch that fixes this path traversal vulnerability. Users should upgrade to version 2.4.3 or later to remediate the issue. Since this is a self-hosted application, patching is the primary mitigation. No vendor advisory content contradicts this; therefore, upgrading is strongly recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-17T16:34:45.526Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e9707c87115cfb6852212c
Added to database: 4/23/2026, 1:06:04 AM
Last enriched: 4/23/2026, 1:22:06 AM
Last updated: 4/23/2026, 7:22:15 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.