CVE-2026-4191 | JawherKl node-api-postgres up to 2.5 Profile Picture index.js path.extname unrestricted upload

Inserito da Angelo Barbosa | Mar 14, 2026 | CVE

A vulnerability was found in JawherKl node-api-postgres up to 2.5. It has been classified as critical. Affected is the function path.extname of the file index.js of the component Profile Picture Handler. This manipulation causes unrestricted upload.

This vulnerability is tracked as CVE-2026-4191. The attack is possible to be carried out remotely. Moreover, an exploit is present.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-4191 | JawherKl node-api-postgres up to 2.5 Profile Picture index.js path.extname unrestricted upload

Post correlati

CVE-2024-12937 | code-projects Simple Admin Panel 1.0 addVariationController.php qty sql injection

CVE-2024-42483 | Espressif esp-now up to 2.5.1 acceptance of extraneous untrusted data with trusted data

CVE-2026-21882 | AsfhtgkDavid theshit up to 0.1.x dropped privileges

CVE-2024-3014 | SourceCodester Simple Subscription Website 1.0 Actions.php title sql injection