{"id":"CVE-2026-44257","summary":"efw4.X: RCE via zipslip","details":"efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.","aliases":["GHSA-q7jx-7x5r-r9f6"],"modified":"2026-07-11T04:41:39.996437Z","published":"2026-05-12T21:06:42.018Z","database_specific":{"cwe_ids":["CWE-77"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44257.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44257.json"},{"type":"ADVISORY","url":"https://github.com/efwGrp/efw4.X/security/advisories/GHSA-q7jx-7x5r-r9f6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44257"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/efwgrp/efw4.x","events":[{"introduced":"0"},{"fixed":"fe952e6879803c0cc0ff06a565e9d942f12d4fc8"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"4.08.010"}],"source":"AFFECTED_FIELD"}}],"versions":["v4.08.009","v4.08.008","v4.08.007","v4.08.006","v4.08.005","v4.08.004","v4.08.003","v4.08.002","v4.08.001","v4.08.000","v4.07.031","v4.07.030","v4.07.029","v4.07.028","test","v.4.07.027","v.4.07.026","v4.07.025","v4.07.024","v.4.07.023","v4.07.022","v4.07.021","v4.07.020","v4.07.019","v4.07.018","v4.07.017","v4.07.016","4.07.015","v4.07.009","v4.07.008","v4.07.007","v4.07.006","v4.07.000","v4.06.016"],"database_specific":{"vanir_signatures":[{"digest":{"function_hash":"89782526106010754331986047016442052871","length":1870},"source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","signature_version":"v1","id":"CVE-2026-44257-097fd364","signature_type":"Function","target":{"function":"doGet","file":"sources/src/main/javax/efw/file/previewServlet.java"},"deprecated":false},{"digest":{"function_hash":"89782526106010754331986047016442052871","length":1870},"source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","signature_version":"v1","id":"CVE-2026-44257-202748c3","signature_type":"Function","target":{"function":"doGet","file":"sources/src/main/jakarta/efw/file/previewServlet.java"},"deprecated":false},{"digest":{"function_hash":"195264860270728576999647068414862149756","length":770},"source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","signature_version":"v1","id":"CVE-2026-44257-37d188e8","signature_type":"Function","target":{"function":"_unZip","file":"sources/src/main/java/efw/file/FileManager.java"},"deprecated":false},{"digest":{"threshold":0.9,"line_hashes":["320618671861691365479427930972051615616","29931663741834178740867015509311538954","5706814863982540716980096647785502797","230437415562700145515869012476482302917"]},"source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","signature_version":"v1","id":"CVE-2026-44257-7fb72642","signature_type":"Line","target":{"file":"sources/src/main/javax/efw/file/previewServlet.java"},"deprecated":false},{"digest":{"threshold":0.9,"line_hashes":["320618671861691365479427930972051615616","29931663741834178740867015509311538954","5706814863982540716980096647785502797","230437415562700145515869012476482302917"]},"source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","signature_version":"v1","id":"CVE-2026-44257-885204e3","signature_type":"Line","target":{"file":"sources/src/main/jakarta/efw/file/previewServlet.java"},"deprecated":false},{"digest":{"threshold":0.9,"line_hashes":["255293627626295300523719658593615290738","305620081116172530822839982195675158587","54211879183095802333488089542858066256"]},"source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","signature_version":"v1","id":"CVE-2026-44257-8e6e73e4","signature_type":"Line","target":{"file":"sources/src/main/java/efw/file/FileManager.java"},"deprecated":false}],"vanir_signatures_modified":"2026-07-11T04:41:39Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44257.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}