CVE Catalog

CVE-2026-44257

Critical
Published: Translated: NVD NIST

Summary

In efw4.X prior to version 4.08.010, the efw.file.FileManager.unZip method did not check the canonical path when writing zip entries to disk, allowing for directory traversal. An attacker could exploit this vulnerability to drop a malicious JSP file and execute arbitrary commands as the Tomcat user.

Risk Assessment

The organization is exposed to remote attacks that could lead to server compromise, resulting in serious implications for data security and infrastructure.

Recommendation

It is recommended to upgrade to version 4.08.010 or later to mitigate this vulnerability and conduct a security audit of the application.

Original NVD description (English source)

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS