{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21440", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-29T03:00:29.276Z", "datePublished": "2026-01-02T19:02:18.393Z", "dateUpdated": "2026-01-05T20:37:47.577Z"}, "containers": {"cna": {"title": "AdonisJS Path Traversal in Multipart File Handling", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h"}, {"name": "https://github.com/adonisjs/bodyparser/commit/143a16f35602be8561215611582211dec280cae6", "tags": ["x_refsource_MISC"], "url": "https://github.com/adonisjs/bodyparser/commit/143a16f35602be8561215611582211dec280cae6"}, {"name": "https://github.com/adonisjs/bodyparser/commit/6795c0e3fa824ae275bbd992aae60609e96f0f03", "tags": ["x_refsource_MISC"], "url": "https://github.com/adonisjs/bodyparser/commit/6795c0e3fa824ae275bbd992aae60609e96f0f03"}, {"name": "https://github.com/adonisjs/bodyparser/releases/tag/v10.1.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/adonisjs/bodyparser/releases/tag/v10.1.2"}, {"name": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.6"}], "affected": [{"vendor": "adonisjs", "product": "core", "versions": [{"version": "< 10.1.2", "status": "affected"}, {"version": ">= 11.0.0-next.0, < 11.0.0-next.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-02T19:02:18.393Z"}, "descriptions": [{"lang": "en", "value": "AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6."}], "source": {"advisory": "GHSA-gvq6-hvvp-h34h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-05T20:31:29.643534Z", "id": "CVE-2026-21440", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-05T20:37:47.577Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21440", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-05T20:31:29.643534Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-05T20:31:30.704Z"}}], "cna": {"title": "AdonisJS Path Traversal in Multipart File Handling", "source": {"advisory": "GHSA-gvq6-hvvp-h34h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "adonisjs", "product": "core", "versions": [{"status": "affected", "version": "< 10.1.2"}, {"status": "affected", "version": ">= 11.0.0-next.0, < 11.0.0-next.6"}]}], "references": [{"url": "https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h", "name": "https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/adonisjs/bodyparser/commit/143a16f35602be8561215611582211dec280cae6", "name": "https://github.com/adonisjs/bodyparser/commit/143a16f35602be8561215611582211dec280cae6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/adonisjs/bodyparser/commit/6795c0e3fa824ae275bbd992aae60609e96f0f03", "name": "https://github.com/adonisjs/bodyparser/commit/6795c0e3fa824ae275bbd992aae60609e96f0f03", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/adonisjs/bodyparser/releases/tag/v10.1.2", "name": "https://github.com/adonisjs/bodyparser/releases/tag/v10.1.2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.6", "name": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-02T19:02:18.393Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21440", "state": "PUBLISHED", "dateUpdated": "2026-01-05T20:37:47.577Z", "dateReserved": "2025-12-29T03:00:29.276Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-02T19:02:18.393Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6."}, {"lang": "es", "value": "AdonisJS es un web framework con prioridad en TypeScript. Una vulnerabilidad de salto de ruta en el manejo de archivos multipart de AdonisJS puede permitir a un atacante remoto escribir archivos arbitrarios en ubicaciones arbitrarias en el sistema de archivos del servidor. Esto afecta a @adonisjs/bodyparser hasta la versi\u00f3n 10.1.1 y a las versiones preliminares 11.x anteriores a la 11.0.0-next.6. Este problema ha sido parcheado en las versiones 10.1.2 y 11.0.0-next.6 de @adonisjs/bodyparser."}], "id": "CVE-2026-21440", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-02T19:15:48.607", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/adonisjs/bodyparser/commit/143a16f35602be8561215611582211dec280cae6"}, {"source": "security-advisories@github.com", "url": "https://github.com/adonisjs/bodyparser/commit/6795c0e3fa824ae275bbd992aae60609e96f0f03"}, {"source": "security-advisories@github.com", "url": "https://github.com/adonisjs/bodyparser/releases/tag/v10.1.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.6"}, {"source": "security-advisories@github.com", "url": "https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:31:20.547851+00:00", "value": {"mitigation_remediation": ["Update @adonisjs/bodyparser to at least version 10.1.2 or 11.0.0\u2011next.6, which contains the official fix.", "If an upgrade cannot be performed immediately, enforce strict upload path validation by sanitizing filenames and confining writes to a dedicated safe directory with the minimum necessary permissions.", "Apply web\u2011application firewall rules to block multipart requests containing suspicious path traversal characters such as \"..\" or leading slashes.", "Audit server file permissions to ensure the user running the application cannot write to sensitive system directories."], "summary": {"action": "Immediate Patch", "impact": "Remote file write enabling potential code execution or defacement"}, "threat_synthesis": {"affected_systems": "The flaw affects AdonisJS core\u2019s bodyparser module. Vulnerable versions include @adonisjs/bodyparser v10.1.1 and all 11.x pre\u2011release releases prior to 11.0.0\u2011next.6. The issue has been fixed in v10.1.2 and 11.0.0\u2011next.6.", "description_and_impact": "A path traversal flaw in AdonisJS multipart file handling allows a remote attacker to write arbitrary files to any location on the server\u2019s filesystem. The vulnerability is a classic file\u2011write vulnerability (CWE\u201122) and can be leveraged to inject malicious scripts, overwrite configuration files, or deploy web shells, thereby providing a vector for remote code execution or system compromise.", "risk_and_exploitability": "The CVSS score of 9.2 marks this as a critical vulnerability, yet the EPSS score of less than 1% indicates a very low exploitation probability at the time of analysis. The flaw was not listed in the CISA KEV catalog. An attacker can exploit it over HTTP by crafting a multipart/form-data request with a manipulated filename containing path\u2011traversal tokens such as \"../\" to write files outside the intended upload directory. Successful exploitation typically requires the web application to run with file\u2011write permissions and may not necessitate additional privileges, making it a high\u2011risk but low\u2011prevalence threat."}}}}, "created": "2026-04-18T08:45:41.391431+00:00", "updated": "2026-04-18T08:45:41.391446+00:00", "vendors": []}