Cyber Posture

CVE-2026-41690

High

Published: 08 May 2026

Published
08 May 2026
Modified
08 May 2026
KEV Added
Patch
CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.0008 22.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41690 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation
addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

NVD Description

18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two…

more

unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-22CWE-1321

CVEs Like This One

CVE-2024-57083Shared CWE-1321
CVE-2024-38988Shared CWE-1321
CVE-2026-23536Shared CWE-22
CVE-2025-23422Shared CWE-22
CVE-2024-48885Shared CWE-22
CVE-2024-12849Shared CWE-22
CVE-2026-34221Shared CWE-1321
CVE-2026-33656Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2024-57065Shared CWE-1321

References