{"id":"CVE-2026-11470","summary":"hs-web hsweb-framework File Upload FileUploadProperties.java denied path traversal","details":"A vulnerability has been found in hs-web hsweb-framework up to 5.0.1. The affected element is the function denied of the file hsweb-system/hsweb-system-file/src/main/java/org/hswebframework/web/file/FileUploadProperties.java of the component File Upload. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 8009845b577d8a2c4bbf4fdd8e8913799a714be6. It is suggested to install a patch to address this issue.","modified":"2026-07-09T19:48:05.980476Z","published":"2026-06-08T00:00:16.276Z","database_specific":{"cna_assigner":"VulDB","unresolved_ranges":[{"extracted_events":[{"introduced":"5.0.0"},{"last_affected":"5.0.0"}],"source":"AFFECTED_FIELD"}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11470.json","cwe_ids":["CWE-22"]},"references":[{"type":"WEB","url":"https://github.com/hs-web/hsweb-framework/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11470.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-11470"},{"type":"ADVISORY","url":"https://vuldb.com/cve/CVE-2026-11470"},{"type":"ADVISORY","url":"https://vuldb.com/submit/833856"},{"type":"ADVISORY","url":"https://vuldb.com/vuln/369090"},{"type":"REPORT","url":"https://github.com/hs-web/hsweb-framework/issues/344"},{"type":"REPORT","url":"https://github.com/hs-web/hsweb-framework/issues/344#issuecomment-3798035002"},{"type":"REPORT","url":"https://vuldb.com/vuln/369090/cti"},{"type":"FIX","url":"https://github.com/hs-web/hsweb-framework/commit/8009845b577d8a2c4bbf4fdd8e8913799a714be6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hs-web/hsweb-framework","events":[{"introduced":"97f7cb7d9b73a120222e4ad909b300f2b1d6e54f"},{"fixed":"8009845b577d8a2c4bbf4fdd8e8913799a714be6"}],"database_specific":{"extracted_events":[{"introduced":"5.0.1"},{"last_affected":"5.0.1"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["5.0.1"],"database_specific":{"vanir_signatures_modified":"2026-07-09T19:48:05Z","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["38813189548386574310528372423160944078","105696407107315650260372517978865604603","6920996475304652056779255105164905480","63648441849701227446441141601741468939","159763010759515032202784833446732935588","7557221756032591414426605901237280170","199007090800829601808024957170802032772","136990786752029565412123281119928800457","194219915264450634480683596438458173928","234499432641339774241611449736670112242","110124626167739557586387337152000735635","160349790756952223981510696250821957624","55789053974182385063533812079302118904","163877664085045101106090144344525605352","239706050445744870868998421419093502258","8516380595323943005312227087331871749","12798001443916294693988147414600539229","63130552619541059949700676040519719346","223813435613131791767346400192964256756","331327965320176430985285397375399359588","26009883287113271422073523239967752881","115721834419991557933434849714322983092","125694657338757179885833519010705637802","275629744587586437930489813208579873236","136039855262237373497727367441923749071","65529334490570971449716798246931515100","149814219813258895673863752538432549221","201110625172853877238398827194918596223","210561141599619558398337460343922332996","103836249644112116900239149108616432145","201686073251133113562990865417562305232","166946388066242139207571882629401479264","3618784250969383058161954316055606476","44324240524366084061915923811479030216","145037064306914050076723593021743066403"]},"target":{"file":"hsweb-system/hsweb-system-file/src/main/java/org/hswebframework/web/file/FileUploadProperties.java"},"signature_type":"Line","deprecated":false,"source":"https://github.com/hs-web/hsweb-framework/commit/8009845b577d8a2c4bbf4fdd8e8913799a714be6","id":"CVE-2026-11470-25273502","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["329737882316931535694908822859146992255","3840878354206501284587321667229744437","79193029342024002088694806276589245126","228008352435027286136329694663746219373","22457386067051805696750085632552256652","83686322553651566015705756588779191119","307145857780638296447643591879429360126","308102643146994761594526631579234900015","219486470014271970745815836483291828047","290254797015615463932571231448089687967","191373639515424000370640754092523676343","313191767498418978006933039841632091173","21446861890152759231239890749187485116","205373008799726694029847028025638639602","186988520179367528391290712316470616727","250767504770079881137285897402013715644","256332003999936711349018941929881138534","90655861613965089374667857048568664963","308427272287837223817770266174698145567","129403670538410728530540238906106548958","21564134085889659058069638124716647072","14494582322614592837307132988984131048","99883554094049554460337466054996923551","54735759521726516190141034715500264501","27665376284172169290643756426642839537","194111296773446551486820582069455621385","292802052963557719132729556624378132095","173178325426893715363750607835575536204","134040625047700027085807109758510706600","301466261954776484217117274818944358140","328193539081352694142865081251179441684","129433267631934428382172106289935932756","161041321368610107468139643952233135493","79759556517421003704646912658253105913","92685816954361877043310707391489430543"]},"target":{"file":"hsweb-system/hsweb-system-file/src/test/java/org/hswebframework/web/file/FileUploadPropertiesTest.java"},"signature_type":"Line","deprecated":false,"source":"https://github.com/hs-web/hsweb-framework/commit/8009845b577d8a2c4bbf4fdd8e8913799a714be6","id":"CVE-2026-11470-87820087","signature_version":"v1"},{"digest":{"function_hash":"286266392279622190299956225268022542646","length":638},"target":{"function":"createStaticSavePath","file":"hsweb-system/hsweb-system-file/src/main/java/org/hswebframework/web/file/FileUploadProperties.java"},"signature_type":"Function","deprecated":false,"source":"https://github.com/hs-web/hsweb-framework/commit/8009845b577d8a2c4bbf4fdd8e8913799a714be6","id":"CVE-2026-11470-93ab0f87","signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11470.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}]}