CVE-2026-41180

Published: Apr 23, 2026

Modified: Apr 23, 2026

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.<NODE_ENV>.js` in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch.

Vendor	Product	Versions
psi-4ward	psitransfer	affected `< 2.4.3`

Weaknesses (CWE)

CWE-22

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586

x_refsource_CONFIRM

https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6

x_refsource_MISC

https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-41180

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References