@Adonisjs/bodyparser path traversal (CVE-2026-21440)
Vulnerability
Summary
Hide ▲
Show ▼
@adonisjs/bodyparser disclosed CVE-2026-21440, a CVSS 9.2 path traversal flaw that can let a remote attacker force arbitrary file write on affected servers with reachable upload endpoints. The bug affects 10.1.1 and earlier and 11.0.0-next.5 and earlier, and it is fixed in 10.1.2 and 11.0.0-next.6. In deployments where overwritten code or configuration is later executed, the issue can escalate to RCE.
Related Happenings
NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/Mitigation
First: 14.05.2026 18:43
Last: 14.05.2026 18:43
Sources 1
About this happening:
**F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...
NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/MitigationAbout this happening: **F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...
Gladinet CentreStack and Triofox workaround for CVE-2025-11371
Advisory/Mitigation
First: 10.10.2025 22:08
Last: 10.10.2025 22:08
Sources 1
About this happening:
**CentreStack** and **Triofox** are affected by **CVE-2025-11371**, a **local file inclusion zero-day** that threat actors have **abused since late September** to read **Web.confi...
Gladinet CentreStack and Triofox workaround for CVE-2025-11371
Advisory/MitigationAbout this happening: **CentreStack** and **Triofox** are affected by **CVE-2025-11371**, a **local file inclusion zero-day** that threat actors have **abused since late September** to read **Web.confi...
Timeline
-
06.01.2026 05:30 2 articles · 4mo ago
AdonisJS bodyparser vulnerability disclosure
Initial DisclosureA critical path traversal vulnerability in @adonisjs/bodyparser, tracked as CVE-2026-21440 with CVSS 9.2, prompted update guidance for affected users. If MultipartFile.move() is used without the second options argument or without explicitly sanitizing the filename, a crafted filename can write outside the intended upload directory on servers with a reachable upload endpoint, creating arbitrary file write conditions and, in some deployments, possible RCE if overwritten code or configuration is later executed. Fixed releases are 10.1.2 and 11.0.0-next.6.
Show sources
- Critical AdonisJS Bodyparser Flaw (CVSS 9.2) Enables Arbitrary File Write on Servers — thehackernews.com — 06.01.2026 05:30
- Critical AdonisJS Bodyparser Flaw (CVSS 9.2) Enables Arbitrary File Write on Servers — thehackernews.com — 06.01.2026 05:30