9.2

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-21440

CVE-2026-21440: AdonisJS Path Traversal in Multipart File Handling

AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-21440

CVE-2026-21440:

9.2

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@adonisjs/bodyparser	npm	< 10.1.2	10.1.2
@adonisjs/bodyparser	npm	>= 11.0.0-next.0, < 11.0.0-next.6	11.0.0-next.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the @adonisjs/bodyparser package. The MultipartFile.move method is responsible for moving uploaded files to a destination directory. The patch commits 143a16f35602be8561215611582211dec280cae6 and 6795c0e3fa824ae275bbd992aae60609e96f0f03 clearly show that the default behavior of this method was to use the clientName from the multipart form data as the filename. This clientName is user-controllable and was not sanitized, leading to a path traversal vulnerability. The fix replaces the use of clientName with a randomly generated filename, thus mitigating the vulnerability. Therefore, any code path that calls MultipartFile.move without explicitly providing a safe filename in the options is vulnerable.

Vulnerable functions

MultipartFile.move

src/multipart/file.ts

The `move` method in the `MultipartFile` class uses the unsanitized `clientName` as the default filename when moving an uploaded file. An attacker can provide a crafted filename with path traversal sequences (e.g., `../../../../tmp/pwned`) to write the file to an arbitrary location on the filesystem.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-21440: AdonisJS Path Traversal in Multipart File Handling

CVE-2026-21440:

9.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2026-21440: AdonisJS Path Traversal in Multipart File Handling

9.2

9.2

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI