{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41180", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T16:34:45.526Z", "datePublished": "2026-04-23T00:10:58.230Z", "dateUpdated": "2026-04-23T13:59:14.836Z"}, "containers": {"cna": {"title": "PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586"}, {"name": "https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6", "tags": ["x_refsource_MISC"], "url": "https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6"}, {"name": "https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3"}], "affected": [{"vendor": "psi-4ward", "product": "psitransfer", "versions": [{"version": "< 2.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T00:10:58.230Z"}, "descriptions": [{"lang": "en", "value": "PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.<NODE_ENV>.js` in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch."}], "source": {"advisory": "GHSA-533q-w4g6-5586", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T13:58:52.952704Z", "id": "CVE-2026-41180", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T13:59:14.836Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41180", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T16:34:45.526Z", "datePublished": "2026-04-23T00:10:58.230Z", "dateUpdated": "2026-04-23T13:59:14.836Z"}, "containers": {"cna": {"title": "PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586"}, {"name": "https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6", "tags": ["x_refsource_MISC"], "url": "https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6"}, {"name": "https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3"}], "affected": [{"vendor": "psi-4ward", "product": "psitransfer", "versions": [{"version": "< 2.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T00:10:58.230Z"}, "descriptions": [{"lang": "en", "value": "PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.<NODE_ENV>.js` in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch."}], "source": {"advisory": "GHSA-533q-w4g6-5586", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41180", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T13:58:52.952704Z"}}}], "references": [{"url": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T13:59:11.539Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.<NODE_ENV>.js` in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch."}], "id": "CVE-2026-41180", "lastModified": "2026-04-29T21:08:02.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-23T02:16:15.977", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6"}, {"source": "security-advisories@github.com", "url": "https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "psitransfer", "source": "cna", "vendor": "psi-4ward"}, "product": "psitransfer", "vendor": "psi-4ward"}], "analysis": {"en": {"generated_at": "2026-04-28T20:36:10.200328+00:00", "value": {"mitigation_remediation": ["Upgrade psi\u20114ward PsiTransfer to version 2.4.3 or later, which contains the path validation fix.", "Review and modify the PSITRANSFER_UPLOAD_DIR configuration so that its basename does not conflict with server\u2011side JavaScript paths, or remove the custom directory setting entirely.", "After applying the update, restart the PsiTransfer service immediately to load the new configuration and prevent execution of any newly created config.<NODE_ENV>.js files."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "psi\u20114ward PsiTransfer installations that use a custom PSITRANSFER_UPLOAD_DIR whose basename prefixes a server\u2011side JavaScript path, such as conf, are affected. All versions prior to 2.4.3 contain the flaw; version 2.4.3 and later include the path\u2011validation fix.", "description_and_impact": "The vulnerability arises in the upload PATCH flow of PsiTransfer. The flaw is a directory traversal vulnerability (CWE-22), where the application does not properly validate the mounted request path, allowing an attacker to craft a path that leads to the creation of a file named config.<NODE_ENV>.js in the application root. Because this file is loaded automatically on the next process restart, an unauthenticated attacker can inject and execute arbitrary JavaScript code when the service restarts, resulting in remote code execution with the privileges of the running process.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity, yet the EPSS score of less than 1% suggests the likelihood of exploitation in the wild is currently low, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an unauthenticated attacker to issue a PATCH request to /files/:uploadId and subsequently trigger a restart of the application. Once executed, it would provide full code execution on the host running PsiTransfer."}}}}, "created": "2026-04-27T22:30:14.287648+00:00", "updated": "2026-04-28T20:45:16.591590+00:00", "vendors": ["psi-4ward", "psi-4ward$PRODUCT$psitransfer"]}