A vulnerability has been found in hs-web hsweb-framework up to 5.0.1. The affected element is the function denied of the file hsweb-system/hsweb-system-file/src/main/java/org/hswebframework/web/file/FileUploadProperties.java of the component File Upload. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 8009845b577d8a2c4bbf4fdd8e8913799a714be6. It is suggested to install a patch to address this issue.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "5.0.0"
},
{
"last_affected": "5.0.0"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/11xxx/CVE-2026-11470.json",
"cna_assigner": "VulDB",
"cwe_ids": [
"CWE-22"
]
}"2026-07-09T19:48:05Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-11470.json"
[
{
"id": "CVE-2026-11470-25273502",
"digest": {
"line_hashes": [
"38813189548386574310528372423160944078",
"105696407107315650260372517978865604603",
"6920996475304652056779255105164905480",
"63648441849701227446441141601741468939",
"159763010759515032202784833446732935588",
"7557221756032591414426605901237280170",
"199007090800829601808024957170802032772",
"136990786752029565412123281119928800457",
"194219915264450634480683596438458173928",
"234499432641339774241611449736670112242",
"110124626167739557586387337152000735635",
"160349790756952223981510696250821957624",
"55789053974182385063533812079302118904",
"163877664085045101106090144344525605352",
"239706050445744870868998421419093502258",
"8516380595323943005312227087331871749",
"12798001443916294693988147414600539229",
"63130552619541059949700676040519719346",
"223813435613131791767346400192964256756",
"331327965320176430985285397375399359588",
"26009883287113271422073523239967752881",
"115721834419991557933434849714322983092",
"125694657338757179885833519010705637802",
"275629744587586437930489813208579873236",
"136039855262237373497727367441923749071",
"65529334490570971449716798246931515100",
"149814219813258895673863752538432549221",
"201110625172853877238398827194918596223",
"210561141599619558398337460343922332996",
"103836249644112116900239149108616432145",
"201686073251133113562990865417562305232",
"166946388066242139207571882629401479264",
"3618784250969383058161954316055606476",
"44324240524366084061915923811479030216",
"145037064306914050076723593021743066403"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/hs-web/hsweb-framework/commit/8009845b577d8a2c4bbf4fdd8e8913799a714be6",
"deprecated": false,
"target": {
"file": "hsweb-system/hsweb-system-file/src/main/java/org/hswebframework/web/file/FileUploadProperties.java"
}
},
{
"id": "CVE-2026-11470-87820087",
"digest": {
"line_hashes": [
"329737882316931535694908822859146992255",
"3840878354206501284587321667229744437",
"79193029342024002088694806276589245126",
"228008352435027286136329694663746219373",
"22457386067051805696750085632552256652",
"83686322553651566015705756588779191119",
"307145857780638296447643591879429360126",
"308102643146994761594526631579234900015",
"219486470014271970745815836483291828047",
"290254797015615463932571231448089687967",
"191373639515424000370640754092523676343",
"313191767498418978006933039841632091173",
"21446861890152759231239890749187485116",
"205373008799726694029847028025638639602",
"186988520179367528391290712316470616727",
"250767504770079881137285897402013715644",
"256332003999936711349018941929881138534",
"90655861613965089374667857048568664963",
"308427272287837223817770266174698145567",
"129403670538410728530540238906106548958",
"21564134085889659058069638124716647072",
"14494582322614592837307132988984131048",
"99883554094049554460337466054996923551",
"54735759521726516190141034715500264501",
"27665376284172169290643756426642839537",
"194111296773446551486820582069455621385",
"292802052963557719132729556624378132095",
"173178325426893715363750607835575536204",
"134040625047700027085807109758510706600",
"301466261954776484217117274818944358140",
"328193539081352694142865081251179441684",
"129433267631934428382172106289935932756",
"161041321368610107468139643952233135493",
"79759556517421003704646912658253105913",
"92685816954361877043310707391489430543"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/hs-web/hsweb-framework/commit/8009845b577d8a2c4bbf4fdd8e8913799a714be6",
"deprecated": false,
"target": {
"file": "hsweb-system/hsweb-system-file/src/test/java/org/hswebframework/web/file/FileUploadPropertiesTest.java"
}
},
{
"id": "CVE-2026-11470-93ab0f87",
"digest": {
"function_hash": "286266392279622190299956225268022542646",
"length": 638.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/hs-web/hsweb-framework/commit/8009845b577d8a2c4bbf4fdd8e8913799a714be6",
"deprecated": false,
"target": {
"function": "createStaticSavePath",
"file": "hsweb-system/hsweb-system-file/src/main/java/org/hswebframework/web/file/FileUploadProperties.java"
}
}
]