CVE-2026-4191

HIGH

node-api-postgres up to 2.5 - Unrestricted Upload

Title source: llm

Description

A flaw has been found in JawherKl node-api-postgres up to 2.5. Affected is the function path.extname of the file index.js of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

[Permissions Required, VDB Entry] https://vuldb.com/?id.351098

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.351098

[Permissions Required, VDB Entry] https://vuldb.com/?submit.770002

[Various Sources] https://hackmd.io/@YzU_KiOzT86cEbFQdBceVg/Bk56LQQYbe

Scores

CVSS v3 7.3

EPSS 0.0002

EPSS Percentile 4.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-284 CWE-434

Status published

Products (6)

JawherKl/node-api-postgres 2.0

JawherKl/node-api-postgres 2.1

JawherKl/node-api-postgres 2.2

JawherKl/node-api-postgres 2.3

JawherKl/node-api-postgres 2.4

JawherKl/node-api-postgres 2.5

Published Mar 16, 2026

Tracked Since Mar 16, 2026