CVE-2026-44257

Sažetak

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.

Reference

https://github.com/efwGrp/efw4.X/security/advisories/GHSA-q7jx-7x5r-r9f6
https://github.com/efwGrp/efw4.X/security/advisories/GHSA-q7jx-7x5r-r9f6

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

18-05-2026 - 16:16

Objavljeno

12-05-2026 - 22:16