PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under /files/:uploadId validates the mounted request path using the still-encoded req.path, but the downstream tus handler later writes using the decoded req.params.uploadId. In deployments that use a supported custom PSITRANSFER_UPLOAD_DIR whose basename prefixes a startup-loaded JavaScript path, such as conf, an unauthenticated attacker can create config.<NODE_ENV>.js in the application root. The attacker-controlled file is then executed on the next process restart. Version 2.4.3 contains a patch.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41180.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-22"
]
}