Home > Vulnerability Database > CVE-2026-21440

Mend.io Vulnerability Database

CVE-2026-21440

Good to know:

Date: January 2, 2026

AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.

Severity Score

9.8

Related Resources (8)

Url: https://github.com/adonisjs/bodyparser/releases/tag/v10.1.2

Url: https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h

Url: https://github.com/adonisjs/bodyparser/commit/6795c0e3fa824ae275bbd992aae60609e96f0f03

Url: https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.6

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-21440

Url: https://github.com/adonisjs/bodyparser/commit/143a16f35602be8561215611582211dec280cae6

Url: https://github.com/adonisjs/core

Url: https://www.mend.io/vulnerability-database/CVE-2026-21440

Severity Score

9.8

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version @adonisjs/bodyparser - 10.1.2;@adonisjs/bodyparser - 11.0.0-next.6;https://github.com/adonisjs/bodyparser.git - v10.1.2;https://github.com/adonisjs/bodyparser.git - v11.0.0-next.6

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-21440

Good to know:

Date: January 2, 2026

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?