CVE-2026-41180: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in psi-4ward psitransfer
CVE-2026-41180 is a path traversal vulnerability in psi-4ward's psitransfer versions prior to 2. 4. 3. It arises from inconsistent validation of the upload path during the PATCH request flow, allowing an unauthenticated attacker to write files outside the intended directory. Specifically, the vulnerability enables creation of attacker-controlled JavaScript files in the application root, which are executed upon process restart. This can lead to full compromise of the application. A patch fixing this issue is included in version 2. 4. 3.
AI Analysis
Technical Summary
PsiTransfer before version 2.4.3 improperly limits pathname traversal in the upload PATCH flow at the `/files/:uploadId` endpoint. The vulnerability is due to validation of the request path using the still-encoded `req.path`, while the downstream handler writes using the decoded `req.params.uploadId`. In deployments using a custom upload directory with a basename prefix matching a startup-loaded JavaScript path (e.g., `conf`), an unauthenticated attacker can create malicious JavaScript files such as `config.<NODE_ENV>.js` in the application root. These files are executed on the next process restart, allowing code execution. Version 2.4.3 contains a patch addressing this issue.
Potential Impact
An unauthenticated attacker can exploit this path traversal vulnerability to write arbitrary JavaScript files into the application root directory. Because these files are executed on process restart, the attacker can achieve remote code execution, leading to full compromise of the application. The CVSS score of 7.5 reflects high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade to psi-4ward psitransfer version 2.4.3 or later, which contains a patch for this vulnerability. Until upgraded, restrict access to the upload endpoint and avoid using custom upload directories with basenames that overlap startup-loaded JavaScript paths. Patch status is not explicitly stated beyond the version 2.4.3 fix; check the vendor advisory for the latest remediation guidance.
CVE-2026-41180: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in psi-4ward psitransfer
Description
CVE-2026-41180 is a path traversal vulnerability in psi-4ward's psitransfer versions prior to 2. 4. 3. It arises from inconsistent validation of the upload path during the PATCH request flow, allowing an unauthenticated attacker to write files outside the intended directory. Specifically, the vulnerability enables creation of attacker-controlled JavaScript files in the application root, which are executed upon process restart. This can lead to full compromise of the application. A patch fixing this issue is included in version 2. 4. 3.
CVSS v3.1
Score 7.5high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PsiTransfer before version 2.4.3 improperly limits pathname traversal in the upload PATCH flow at the `/files/:uploadId` endpoint. The vulnerability is due to validation of the request path using the still-encoded `req.path`, while the downstream handler writes using the decoded `req.params.uploadId`. In deployments using a custom upload directory with a basename prefix matching a startup-loaded JavaScript path (e.g., `conf`), an unauthenticated attacker can create malicious JavaScript files such as `config.<NODE_ENV>.js` in the application root. These files are executed on the next process restart, allowing code execution. Version 2.4.3 contains a patch addressing this issue.
Potential Impact
An unauthenticated attacker can exploit this path traversal vulnerability to write arbitrary JavaScript files into the application root directory. Because these files are executed on process restart, the attacker can achieve remote code execution, leading to full compromise of the application. The CVSS score of 7.5 reflects high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade to psi-4ward psitransfer version 2.4.3 or later, which contains a patch for this vulnerability. Until upgraded, restrict access to the upload endpoint and avoid using custom upload directories with basenames that overlap startup-loaded JavaScript paths. Patch status is not explicitly stated beyond the version 2.4.3 fix; check the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-17T16:34:45.526Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e9707c87115cfb6852212c
Added to database: 4/23/2026, 1:06:04 AM
Last enriched: 4/30/2026, 8:13:48 AM
Last updated: 6/7/2026, 1:41:13 AM
Views: 62
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.