Cyber Resilience

CVE-2026-4191

Medium

Published: 16 March 2026

Published
16 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 5.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4191 is a medium-severity Improper Access Control (CWE-284) vulnerability in Hackmd (inferred from references). Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-4191 is a vulnerability in the JawherKl node-api-postgres package up to version 2.5, published on 2026-03-16. The flaw affects the path.extname function in the index.js file of the Profile Picture Handler component, enabling unrestricted file uploads. It is associated with CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, primarily through unrestricted uploads that could lead to further compromise depending on the uploaded content.

Advisories note that the vendor was contacted early about the disclosure but did not respond, implying no official patch or mitigation guidance is available from them. Relevant details are provided in references including https://hackmd.io/@YzU_KiOzT86cEbFQdBceVg/Bk56LQQYbe, https://vuldb.com/?ctiid.351098, https://vuldb.com/?id.351098, and https://vuldb.com/?submit.770002.

An exploit has been published and may be used, increasing the risk for deployments relying on the affected package.

EU & UK References

Vulnerability details

A flaw has been found in JawherKl node-api-postgres up to 2.5. Affected is the function path.extname of the file index.js of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely.…

more

The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload (CWE-434) in public-facing Node.js API component directly enables remote exploitation of public-facing apps (T1190) and deployment of web shells via dangerous file types (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13144Shared CWE-284, CWE-434
CVE-2025-8255Shared CWE-284, CWE-434
CVE-2025-2219Shared CWE-284, CWE-434
CVE-2025-7413Shared CWE-284, CWE-434
CVE-2025-0341Shared CWE-284, CWE-434
CVE-2026-3748Shared CWE-284, CWE-434
CVE-2026-2666Shared CWE-284, CWE-434
CVE-2026-2979Shared CWE-284, CWE-434
CVE-2026-3800Shared CWE-284, CWE-434
CVE-2025-1355Shared CWE-284, CWE-434

Affected Assets

Hackmd
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents unrestricted file uploads by requiring validation of profile picture inputs for type, extension, and content beyond the flawed path.extname function.

prevent

Enforces access control policies to block unauthenticated remote exploitation of the Profile Picture Handler's unrestricted upload vulnerability.

preventrecover

Requires timely identification, reporting, and remediation of the specific flaw in JawherKl node-api-postgres up to version 2.5, such as patching or replacement.

References