{"id":"CVE-2026-44259","summary":"efw4.X: Stored XSS via previewServlet","details":"efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any content sanitization or security headers. Files with .html, .htm, or .svg extensions are served as text/html or image/svg+xml respectively, causing any embedded JavaScript to execute in the victim's browser within the application's origin. This vulnerability is fixed in 4.08.010.","aliases":["GHSA-hw67-p3gw-rrmj"],"modified":"2026-07-15T23:27:38.180872Z","published":"2026-05-12T21:08:27.846Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-80"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44259.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44259.json"},{"type":"ADVISORY","url":"https://github.com/efwGrp/efw4.X/security/advisories/GHSA-hw67-p3gw-rrmj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44259"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/efwgrp/efw4.x","events":[{"introduced":"0"},{"fixed":"fe952e6879803c0cc0ff06a565e9d942f12d4fc8"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"4.08.010"}],"source":"AFFECTED_FIELD"}}],"versions":["v4.08.009","v4.08.008","v4.08.007","v4.08.006","v4.08.005","v4.08.004","v4.08.003","v4.08.002","v4.08.001","v4.08.000","v4.07.031","v4.07.030","v4.07.029","v4.07.028","test","v.4.07.027","v.4.07.026","v4.07.025","v4.07.024","v.4.07.023","v4.07.022","v4.07.021","v4.07.020","v4.07.019","v4.07.018","v4.07.017","v4.07.016","4.07.015","v4.07.009","v4.07.008","v4.07.007","v4.07.006","v4.07.000","v4.06.016"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44259.json","vanir_signatures_modified":"2026-07-15T23:27:38Z","vanir_signatures":[{"target":{"file":"sources/src/main/javax/efw/file/previewServlet.java","function":"doGet"},"deprecated":false,"digest":{"function_hash":"89782526106010754331986047016442052871","length":1870},"id":"CVE-2026-44259-097fd364","signature_type":"Function","signature_version":"v1","source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8"},{"signature_type":"Function","signature_version":"v1","source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","target":{"file":"sources/src/main/jakarta/efw/file/previewServlet.java","function":"doGet"},"deprecated":false,"digest":{"function_hash":"89782526106010754331986047016442052871","length":1870},"id":"CVE-2026-44259-202748c3"},{"deprecated":false,"digest":{"function_hash":"195264860270728576999647068414862149756","length":770},"id":"CVE-2026-44259-37d188e8","signature_type":"Function","signature_version":"v1","source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","target":{"file":"sources/src/main/java/efw/file/FileManager.java","function":"_unZip"}},{"source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","target":{"file":"sources/src/main/javax/efw/file/previewServlet.java"},"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["320618671861691365479427930972051615616","29931663741834178740867015509311538954","5706814863982540716980096647785502797","230437415562700145515869012476482302917"]},"id":"CVE-2026-44259-7fb72642","signature_type":"Line","signature_version":"v1"},{"target":{"file":"sources/src/main/jakarta/efw/file/previewServlet.java"},"deprecated":false,"digest":{"line_hashes":["320618671861691365479427930972051615616","29931663741834178740867015509311538954","5706814863982540716980096647785502797","230437415562700145515869012476482302917"],"threshold":0.9},"id":"CVE-2026-44259-885204e3","signature_type":"Line","signature_version":"v1","source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8"},{"source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","target":{"file":"sources/src/main/java/efw/file/FileManager.java"},"deprecated":false,"digest":{"line_hashes":["255293627626295300523719658593615290738","305620081116172530822839982195675158587","54211879183095802333488089542858066256"],"threshold":0.9},"id":"CVE-2026-44259-8e6e73e4","signature_type":"Line","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"}]}