VYPR
High severity7.5NVD Advisory· Published Apr 23, 2026· Updated Apr 29, 2026

CVE-2026-41180

CVE-2026-41180

Description

PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under /files/:uploadId validates the mounted request path using the still-encoded req.path, but the downstream tus handler later writes using the decoded req.params.uploadId. In deployments that use a supported custom PSITRANSFER_UPLOAD_DIR whose basename prefixes a startup-loaded JavaScript path, such as conf, an unauthenticated attacker can create config.<NODE_ENV>.js in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
psitransfernpm
< 2.4.32.4.3

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.