cbcvebase.
CVE-2026-21440
published 2026-01-02

CVE-2026-21440: AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary…

PriorityP261critical9.2CVSS 4.0
AVNACLATPPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
1.06%
60.4th percentile
AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.

Affected

4 ranges
VendorProductVersion rangeFixed in
adonisjsbodyparser>= 0 < 10.1.210.1.2
adonisjsbodyparser>= 11.0.0-next.0 < 11.0.0-next.611.0.0-next.6
adonisjscore< 10.1.210.1.2
adonisjscore
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.