CVE-2026-21440

CRITICAL

AdonisJS bodyparser <10.1.2, 11.0.0-next.0-6 - Path Traversal & Arbitrary File Write

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2026-21440. PoCs published by XiaomingX, k0nnect, you-ssef9.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2026-21440, demonstrating path traversal and arbitrary file upload leading to remote code execution (RCE). The script includes verification and exploitation modes, with preset paths for common Windows files and shell upload capabilities.

Description

AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.

Exploits (5)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-21440

The repository contains a functional exploit for CVE-2026-21440, demonstrating path traversal and arbitrary file upload leading to remote code execution (RCE). The script includes verification and exploitation modes, with preset paths for common Windows files and shell upload capabilities.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unknown (likely a web server or application with path traversal vulnerability)
No auth needed
Prerequisites: Target URL with vulnerable endpoint · Writeable directory for shell upload
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 3 stars
by k0nnect · poc
https://github.com/k0nnect/cve-2026-21440-writeup-poc

This repository contains a Python-based exploit for CVE-2026-21440, a path traversal vulnerability in @adonisjs/bodyparser. The exploit allows arbitrary file writes outside the intended upload directory by crafting malicious filenames with directory traversal sequences.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: @adonisjs/bodyparser (versions ≤ 10.1.1 and 11.0.0-next.1 to 11.0.0-next.5)
No auth needed
Prerequisites: Access to the target upload endpoint · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 1 stars
by you-ssef9 · poc
https://github.com/you-ssef9/CVE-2026-21440

This is a detection-only scanner for CVE-2026-21440, a path traversal vulnerability in AdonisJS BodyParser. It fingerprints AdonisJS applications and probes for upload endpoints without exploiting the vulnerability.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: AdonisJS (Node.js) with @adonisjs/bodyparser
No auth needed
Prerequisites: Network access to the target web application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by TibbersV6 · poc
https://github.com/TibbersV6/CVE-2026-21440-POC-EXP

This PoC exploits CVE-2026-21440, a path traversal vulnerability allowing arbitrary file read and web shell upload for remote command execution. It includes verification and exploitation modes with preset Windows file paths.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unknown (likely a web server with path traversal vulnerability)
No auth needed
Prerequisites: Network access to vulnerable web server · Knowledge of target file paths or web root directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by redpack-kr · poc
https://github.com/redpack-kr/Ashwesker-CVE-2026-21440

This is a functional PoC exploit for CVE-2026-21440, a path traversal vulnerability in AdonisJS bodyparser that allows arbitrary file writes, potentially leading to RCE. The script supports multiple payload types, traversal depths, and includes features like proxy support and safe testing mode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: @adonisjs/bodyparser <= 10.1.1, @adonisjs/bodyparser 11.x prerelease < 11.0.0-next.6
No auth needed
Prerequisites: Access to a vulnerable AdonisJS file upload endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v4 9.2
EPSS 0.0011
EPSS Percentile 29.6%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-22
Status published
Products (3)
adonisjs/bodyparser 0 - 10.1.2npm
adonisjs/core < 10.1.2
adonisjs/core >= 11.0.0-next.0, < 11.0.0-next.6
Published Jan 02, 2026
Tracked Since Feb 18, 2026