CVE-2026-41180
Published: 23 April 2026
Summary
CVE-2026-41180 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the path traversal vulnerability by requiring validation of decoded file paths in upload requests to prevent writing to unauthorized directories like the application root.
Addresses the specific flaw by mandating timely remediation through patching, such as upgrading PsiTransfer to version 2.4.3 which fixes the encoding mismatch.
Enforces access controls to restrict file writes to only the designated upload directory, limiting the impact of traversal attempts on sensitive paths like conf.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing PsiTransfer upload endpoint enables exploitation of the web app (T1190) to write and transfer malicious JS payload (T1105) that executes on restart for RCE.
NVD Description
PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In…
more
deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.<NODE_ENV>.js` in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch.
Deeper analysisAI
PsiTransfer, an open-source self-hosted file sharing solution, is affected by CVE-2026-41180 in versions prior to 2.4.3. The vulnerability stems from a path traversal flaw (CWE-22) in the upload PATCH flow under the `/files/:uploadId` endpoint. The application validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler subsequently writes files using the decoded `req.params.uploadId`. This discrepancy enables directory traversal in deployments configured with a custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`.
An unauthenticated attacker can exploit this vulnerability over the network with high attack complexity and required user interaction, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). By crafting a malicious upload request, the attacker can create a file named `config.<NODE_ENV>.js` in the application root. This attacker-controlled JavaScript file is then executed automatically on the next process restart, resulting in remote code execution with high confidentiality, integrity, and availability impact.
The PsiTransfer security advisory (GHSA-533q-w4g6-5586) and release notes for version 2.4.3 detail the patch, which addresses the encoding mismatch in the upload handling logic. The fixing commit is available at https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6, and users are advised to upgrade to version 2.4.3 or later for mitigation.
Details
- CWE(s)