EUVD-2026-12253
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
A flaw has been found in JawherKl node-api-postgres up to 2.5. Affected is the function path.extname of the file index.js of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Analysis
A critical unrestricted file upload vulnerability exists in the Profile Picture Handler component of JawherKl's node-api-postgres library (versions up to 2.5), where improper validation in the path.extname function of index.js allows attackers to upload malicious files remotely without authentication. A proof-of-concept exploit is publicly available, making this vulnerability actively exploitable, though it is not currently listed in CISA's KEV catalog and no EPSS score is provided.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems and applications using node-api-postgres library and document their versions; implement network access restrictions to profile picture upload endpoints. Within 7 days: Audit logs for suspicious file upload activity; deploy WAF rules to block requests with suspicious file extensions; disable profile picture upload functionality if not critical to operations. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today