CVE-2026-4191
Published: 16 March 2026
Summary
CVE-2026-4191 is a high-severity Improper Access Control (CWE-284) vulnerability in Hackmd (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents unrestricted file uploads by requiring validation of profile picture inputs for type, extension, and content beyond the flawed path.extname function.
Enforces access control policies to block unauthenticated remote exploitation of the Profile Picture Handler's unrestricted upload vulnerability.
Requires timely identification, reporting, and remediation of the specific flaw in JawherKl node-api-postgres up to version 2.5, such as patching or replacement.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload (CWE-434) in public-facing Node.js API component directly enables remote exploitation of public-facing apps (T1190) and deployment of web shells via dangerous file types (T1505.003).
NVD Description
A flaw has been found in JawherKl node-api-postgres up to 2.5. Affected is the function path.extname of the file index.js of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely.…
more
The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2026-4191 is a vulnerability in the JawherKl node-api-postgres package up to version 2.5, published on 2026-03-16. The flaw affects the path.extname function in the index.js file of the Profile Picture Handler component, enabling unrestricted file uploads. It is associated with CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, primarily through unrestricted uploads that could lead to further compromise depending on the uploaded content.
Advisories note that the vendor was contacted early about the disclosure but did not respond, implying no official patch or mitigation guidance is available from them. Relevant details are provided in references including https://hackmd.io/@YzU_KiOzT86cEbFQdBceVg/Bk56LQQYbe, https://vuldb.com/?ctiid.351098, https://vuldb.com/?id.351098, and https://vuldb.com/?submit.770002.
An exploit has been published and may be used, increasing the risk for deployments relying on the affected package.
Details
- CWE(s)