CVE-2026-4191
Unrestricted File Upload in JawherKl node-api-postgres Profile Handler
Publication date: 2026-03-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jawherkl | node-api-postgres | to 2.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-4191 is a critical vulnerability in the JawherKl node-api-postgres application up to version 2.5, specifically in the Profile Picture Handler component's function path.extname in the index.js file."}, {'type': 'paragraph', 'content': 'The flaw allows unrestricted file uploads because the POST endpoint for uploading profile pictures lacks proper validation such as file type filtering and file size restrictions.'}, {'type': 'paragraph', 'content': 'This means an attacker can upload malicious files like HTML or executable scripts, bypassing intended image upload restrictions.'}, {'type': 'paragraph', 'content': 'Such uploads can lead to serious security issues including Stored Cross-Site Scripting (XSS) attacks or even Remote Code Execution (RCE), depending on the server environment.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability impacts the confidentiality, integrity, and availability of the affected system.
Because it allows remote attackers to upload arbitrary files without authentication, it can be exploited to execute malicious scripts or code on the server.
Potential impacts include Stored Cross-Site Scripting (XSS) attacks, Remote Code Execution (RCE), and unauthorized access or manipulation of system resources.
The exploit is publicly available and easy to execute, increasing the risk of compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unrestricted file uploads to the `/users/:id/profile-picture` POST endpoint in the node-api-postgres application up to version 2.5. Detection can focus on monitoring HTTP POST requests to this endpoint for suspicious file uploads, especially files with unusual or executable extensions such as .html or scripts that should not be allowed.'}, {'type': 'paragraph', 'content': 'Network or system detection can include inspecting web server logs or application logs for POST requests to `/users/:id/profile-picture` that include files with extensions other than expected image types (e.g., .jpg, .png).'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious uploads might include:'}, {'type': 'list_item', 'content': 'Using grep on web server logs to find POST requests to the vulnerable endpoint: `grep "POST /users/" /var/log/nginx/access.log | grep "profile-picture"`'}, {'type': 'list_item', 'content': 'Searching for uploaded files with suspicious extensions in the uploads directory: `find /path/to/uploads -type f \\( -name "*.html" -o -name "*.js" -o -name "*.php" \\)`'}, {'type': 'list_item', 'content': 'Using network monitoring tools (e.g., Wireshark or tcpdump) to capture HTTP POST traffic to the endpoint and analyze file upload content.'}, {'type': 'paragraph', 'content': 'Because the vulnerability allows unrestricted upload of potentially dangerous files, monitoring for unexpected file types or large numbers of uploads can help detect exploitation attempts.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Currently, there are no known vendor patches or official mitigations available for this vulnerability as the vendor did not respond to the disclosure.
Immediate mitigation steps include:
- Restrict access to the `/users/:id/profile-picture` endpoint by implementing authentication and authorization controls to limit who can upload files.
- Implement server-side validation to restrict uploaded file types and sizes, ensuring only allowed image formats are accepted.
- Configure the web server to prevent execution of uploaded files in the `/uploads` directory, for example by disabling script execution or serving files as static content only.
- Monitor and audit uploads regularly to detect suspicious files and remove them promptly.
- Consider replacing the affected product with an alternative that does not have this vulnerability.