Description

PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename prefixes a startup-loaded JavaScript path, such as `conf`, an unauthenticated attacker can create `config.<NODE_ENV>.js` in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch.

INFO

Published Date :

2026-04-23T00:10:58.230Z

Last Modified :

2026-04-23T13:59:14.836Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41180 vulnerability.

Vendors Products
Psi-4ward
  • Psitransfer
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41180.

URL Resource
https://github.com/psi-4ward/psitransfer/commit/8b547bf3e09757122efa00aab90281e3915aa0c6 cve-icon cve-icon
https://github.com/psi-4ward/psitransfer/releases/tag/v2.4.3 cve-icon cve-icon
https://github.com/psi-4ward/psitransfer/security/advisories/GHSA-533q-w4g6-5586 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact