• Type: Path Traversal Vulnerability (CWE-22)
• Affected Software: @adonisjs/bodyparser package (used by the AdonisJS web framework)
• Impact: Remote attackers can write arbitrary files to any location on a vulnerable server’s filesystem.
• Severity: High / Critical (high risk due to potential for arbitrary file writes).
• Status: Patched in newer releases of the package.

Field	Details
CVE ID	CVE-2026-21440
Vulnerability Type	Path Traversal (CWE-22)
Affected Component	@adonisjs/bodyparser
Attack Vector	Remote (via crafted multipart file uploads)
Impact	Arbitrary file write on server filesystem
Severity	High / Critical
Root Cause	Improper validation of file paths during multipart upload handling
Exploitation Result	Writing files outside intended upload directory
Potential Consequences	File overwrite, malicious file placement, possible RCE
Affected Versions	≤ 10.1.1, 11.0.0-next.x < 11.0.0-next.6
Fixed Versions	10.1.2+, 11.0.0-next.6+
Mitigation	Upgrade package, sanitize upload paths, restrict upload endpoints

Technical Details

• The flaw resides in the multipart file handling functionality of the AdonisJS body parser.
• When handling file uploads, crafted multipart requests can bypass intended directory restrictions, allowing an attacker to place files anywhere on the server.
• This could include overwriting critical files or inserting malicious scripts.
• The core issue is insufficient validation/sanitization of file paths supplied during upload processing.

Versions Affected

• Vulnerable:
  • @adonisjs/bodyparser up to 10.1.1
  • Pre-release 11.0.0-next.x versions earlier than 11.0.0-next.6
• Fixed:
  • 10.1.2 and later
  • 11.0.0-next.6 and later

Impact & Risk

• As a path traversal vulnerability, CVE-2026-21440 enables attackers to write files outside intended folders.
• If exploited on a server with reachable upload endpoints, this could lead to:
  • Modification of application code or configs
  • Arbitrary file writes with attacker-controlled content
  • Potential remote code execution (RCE) depending on environment/configuration — e.g., if critical files are overwritten and later executed.

Mitigation / Fix

• Update the @adonisjs/bodyparser dependency:
  • Upgrade to at least 10.1.2 or the latest 11.x release.
• Ensure strict validation/sanitization of uploaded filenames and paths in your application logic.
• Restrict upload endpoints and validate file types where possible.