CVE-2026-21440

Name of the Vulnerable Software and Affected Versions AdonisJS versions through 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6

Description A Path Traversal vulnerability exists in the AdonisJS multipart file handling process. This flaw allows a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. The vulnerability is present in the @adonisjs/bodyparser package. Exploitation involves crafted upload filenames, potentially leading to remote code execution (RCE) if the MultipartFile.move() function is used without proper sanitization. Approximately 44,500 potentially affected systems have been identified. The vulnerability allows attackers to bypass file upload restrictions and overwrite system files, potentially leading to full control over the compromised system.

Recommendations Update to @adonisjs/bodyparser version 10.1.2 or later. Update to @adonisjs/bodyparser version 11.0.0-next.6 or later. Ensure strict server-side filename validation is enforced to prevent path traversal attacks. Avoid enabling overwrite functionality unless absolutely necessary.