{"id":"CVE-2026-44260","summary":"efw4.X: readonly Flag Not Enforced Server-Side","details":"efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the \u003cefw:elFinder\u003e JSP tag is intended to prevent file modifications. When protected=true, elfinder_checkRisk enforces that the client sends readonly=true (matching the session value), but no event handler checks the readonly value before performing write operations. The flag only controls client-side UI elements (disabling buttons) and response metadata (write: 0, locked: 1). An attacker who sends requests directly (bypassing the UI) can perform all file operations despite readonly=true. This vulnerability is fixed in 4.08.010.","aliases":["GHSA-5454-qhrf-vcvh"],"modified":"2026-07-16T00:24:38.183533Z","published":"2026-05-12T21:09:34.549Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-863"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44260.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44260.json"},{"type":"ADVISORY","url":"https://github.com/efwGrp/efw4.X/security/advisories/GHSA-5454-qhrf-vcvh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44260"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/efwgrp/efw4.x","events":[{"introduced":"0"},{"fixed":"fe952e6879803c0cc0ff06a565e9d942f12d4fc8"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"4.08.010"}],"source":"AFFECTED_FIELD"}}],"versions":["v4.08.009","v4.08.008","v4.08.007","v4.08.006","v4.08.005","v4.08.004","v4.08.003","v4.08.002","v4.08.001","v4.08.000","v4.07.031","v4.07.030","v4.07.029","v4.07.028","test","v.4.07.027","v.4.07.026","v4.07.025","v4.07.024","v.4.07.023","v4.07.022","v4.07.021","v4.07.020","v4.07.019","v4.07.018","v4.07.017","v4.07.016","4.07.015","v4.07.009","v4.07.008","v4.07.007","v4.07.006","v4.07.000","v4.06.016"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44260.json","vanir_signatures_modified":"2026-07-16T00:24:38Z","vanir_signatures":[{"digest":{"function_hash":"89782526106010754331986047016442052871","length":1870},"id":"CVE-2026-44260-097fd364","signature_type":"Function","signature_version":"v1","source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","target":{"file":"sources/src/main/javax/efw/file/previewServlet.java","function":"doGet"},"deprecated":false},{"deprecated":false,"digest":{"function_hash":"89782526106010754331986047016442052871","length":1870},"id":"CVE-2026-44260-202748c3","signature_type":"Function","signature_version":"v1","source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","target":{"function":"doGet","file":"sources/src/main/jakarta/efw/file/previewServlet.java"}},{"deprecated":false,"digest":{"function_hash":"195264860270728576999647068414862149756","length":770},"id":"CVE-2026-44260-37d188e8","signature_type":"Function","signature_version":"v1","source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","target":{"file":"sources/src/main/java/efw/file/FileManager.java","function":"_unZip"}},{"deprecated":false,"digest":{"line_hashes":["320618671861691365479427930972051615616","29931663741834178740867015509311538954","5706814863982540716980096647785502797","230437415562700145515869012476482302917"],"threshold":0.9},"id":"CVE-2026-44260-7fb72642","signature_type":"Line","signature_version":"v1","source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","target":{"file":"sources/src/main/javax/efw/file/previewServlet.java"}},{"id":"CVE-2026-44260-885204e3","signature_type":"Line","signature_version":"v1","source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","target":{"file":"sources/src/main/jakarta/efw/file/previewServlet.java"},"deprecated":false,"digest":{"line_hashes":["320618671861691365479427930972051615616","29931663741834178740867015509311538954","5706814863982540716980096647785502797","230437415562700145515869012476482302917"],"threshold":0.9}},{"signature_version":"v1","source":"https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8","target":{"file":"sources/src/main/java/efw/file/FileManager.java"},"deprecated":false,"digest":{"line_hashes":["255293627626295300523719658593615290738","305620081116172530822839982195675158587","54211879183095802333488089542858066256"],"threshold":0.9},"id":"CVE-2026-44260-8e6e73e4","signature_type":"Line"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}