PsiTransfer RCE: Unauthenticated Code Execution via Path Traversal

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-22
PsiTransfer RCE: Unauthenticated Code Execution via Path Traversal

The National Vulnerability Database has detailed CVE-2026-41180, a critical vulnerability in PsiTransfer, an open-source file sharing solution. Prior to version 2.4.3, an unauthenticated attacker could achieve remote code execution (RCE). The flaw stems from an inconsistency in how the upload PATCH flow validates request paths versus how the downstream tus handler processes them.

Specifically, the system validates the still-encoded req.path but later writes using the decoded req.params.uploadId. This discrepancy, in conjunction with custom PSITRANSFER_UPLOAD_DIR configurations that prefix a startup-loaded JavaScript path (like conf), allows an attacker to create a config.<NODE_ENV>.js file in the application root. This attacker-controlled file then executes on the next process restart.

This is a severe path traversal issue (CWE-22) with a CVSS score of 7.5 (High). Defenders need to prioritize patching, as the attack requires no authentication and can lead to full system compromise. The attacker’s calculus here is straightforward: exploit a common path validation bypass to inject and execute arbitrary code, gaining persistent control over the server. PsiTransfer version 2.4.3 includes the necessary patch.

What This Means For You

  • If your organization uses PsiTransfer for file sharing, you are exposed to unauthenticated remote code execution. Immediately verify your PsiTransfer version and patch to 2.4.3 or higher. Audit your `PSITRANSFER_UPLOAD_DIR` configuration for any custom paths that could be exploited, and check application logs for any suspicious file creations in the application root.

Related ATT&CK Techniques

T1505.003 Server Software Component: Web Shell Persistence T1059.001 Command and Scripting Interpreter: PowerShell Execution T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

8 rules · 6 SIEM formats

8 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1505.003 Persistence

Web Shell Activity Detection — CVE-2026-41180

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41180 RCE PsiTransfer < 2.4.3
CVE-2026-41180 RCE Vulnerable endpoint: /files/:uploadId
CVE-2026-41180 RCE Attack vector: Path Traversal leading to arbitrary file creation (config..js) in application root

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 23, 2026 at 05:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

Apple Patches Critical Notification Data Leak Vulnerability

Apple has issued urgent updates to address CVE-2026-28950, a critical vulnerability within its notification management system. As reported by Cyber Updates - Asher Tamam, this...

israelvulnerability
/SCW Vulnerability Desk /MEDIUM /⚑ 4 IOCs /⚙ 3 Sigma

Critical RCE Flaw in Breeze Cache WordPress Plugin

CVE-2026-3844 — The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-2951 — Cross-Site Scripting (XSS)

CVE-2026-2951 — The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /5.4 /⚑ 2 IOCs /⚙ 3 Sigma