CVE-2026-41180

Name of the Vulnerable Software and Affected Versions PsiTransfer versions prior to 2.4.3

Description The upload PATCH flow under '/files/:uploadId' validates the mounted request path using the encoded req.path, while the downstream tus handler writes using the decoded req.params.uploadId. In deployments using a custom PSITRANSFER UPLOAD DIR where the basename prefixes a startup-loaded JavaScript path, such as conf, an unauthenticated attacker can create a config.<NODE ENV>.js file in the application root. This attacker-controlled file is executed upon the next process restart.

Recommendations Update to version 2.4.3.