Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs
July 1, 2026
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Home/CyberSecurity News/Critical AdonisJS Vulnerability Allow Remote Attacker to Write Files On Server
CyberSecurity News

Critical AdonisJS Vulnerability Allow Remote Attacker to Write Files On Server

A Critical AdonisJS Vulnerability has been identified within AdonisJS. This flaw could enable Remote File Write arbitrary files to server filesystems, potentially leading to a complete system...

Marcus Rodriguez
Marcus Rodriguez
January 6, 2026 2 Min Read
49 0

A Critical AdonisJS Vulnerability has been identified within AdonisJS. This flaw could enable Remote File Write arbitrary files to server filesystems, potentially leading to a complete system compromise.

The vulnerability, tracked as CVE-2026-21440, affects the bodyparser module of the popular TypeScript-first web framework and carries a critical CVSS v4 severity rating.​

The security flaw resides in AdonisJS’s multipart file-handling mechanism in the @adonisjs/bodyparser package.

When processing multipart/form-data uploads, the framework’s MultipartFile.move() method uses unsafe default options that fail to sanitize client-supplied filenames properly.

Attribute Details
CVE ID CVE-2026-21440​
Severity Critical (CVSS v4: AV:N/AC:L/AT:P/PR:N/UI:N)​
Affected Versions ≤ 10.1.1, ≤ 11.0.0-next.5​
Weakness Type CWE-22 (Path Traversal)​

Attackers can exploit this weakness by submitting specially crafted filenames containing path traversal sequences (such as “../”) to escape intended upload directories and write files to arbitrary locations on the server.​

Exploitation requires a reachable upload endpoint that developers can use with MultipartFile.move() without proper filename sanitization. The vulnerability’s default configuration allows file overwrites, amplifying the threat.

If attackers can overwrite application code, startup scripts, or configuration files, remote code execution becomes possible depending on filesystem permissions and deployment configuration.​

Security researcher Wodzen discovered and reported this vulnerability on GitHub, which affects @adonisjs/bodyparser versions up to 10.1.1 and prerelease versions 11.0.0-next.5 and earlier.​

AdonisJS has released security patches for versions 6 and 7. Developers should immediately upgrade to @adonisjs/bodyparser version 10.1.2 or 11.0.0-next.6.

Organizations using affected versions should audit their upload endpoints and implement explicit filename sanitization as an additional security layer.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

NordVPN Denies Data Breach Following Threat Actor Claim on Dark Web

Next Post

Critical Dolby Codec Vulnerability Exposes Android Devices to Code Execution Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Buffa Rust Library 0-Day DoS Vulnerability in Anthropic
July 1, 2026
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us