CVE-2026-44257

Source
https://cve.org/CVERecord?id=CVE-2026-44257
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44257.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44257
Aliases
  • GHSA-q7jx-7x5r-r9f6
Published
2026-05-12T21:06:42.018Z
Modified
2026-07-11T04:41:39.996437Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
efw4.X: RCE via zipslip
Details

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44257.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-77"
    ]
}
References

Affected packages

Git / github.com/efwgrp/efw4.x

Affected ranges

Type
GIT
Repo
https://github.com/efwgrp/efw4.x
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.08.010"
        }
    ]
}

Affected versions

4.*
4.07.015
Other
test
v.*
v.4.07.023
v.4.07.026
v.4.07.027
v4.*
v4.06.016
v4.07.000
v4.07.006
v4.07.007
v4.07.008
v4.07.009
v4.07.016
v4.07.017
v4.07.018
v4.07.019
v4.07.020
v4.07.021
v4.07.022
v4.07.024
v4.07.025
v4.07.028
v4.07.029
v4.07.030
v4.07.031
v4.08.000
v4.08.001
v4.08.002
v4.08.003
v4.08.004
v4.08.005
v4.08.006
v4.08.007
v4.08.008
v4.08.009

Database specific

vanir_signatures_modified
"2026-07-11T04:41:39Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44257.json"
vanir_signatures
[
    {
        "id": "CVE-2026-44257-097fd364",
        "digest": {
            "function_hash": "89782526106010754331986047016442052871",
            "length": 1870.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
        "deprecated": false,
        "target": {
            "function": "doGet",
            "file": "sources/src/main/javax/efw/file/previewServlet.java"
        }
    },
    {
        "id": "CVE-2026-44257-202748c3",
        "digest": {
            "function_hash": "89782526106010754331986047016442052871",
            "length": 1870.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
        "deprecated": false,
        "target": {
            "function": "doGet",
            "file": "sources/src/main/jakarta/efw/file/previewServlet.java"
        }
    },
    {
        "id": "CVE-2026-44257-37d188e8",
        "digest": {
            "function_hash": "195264860270728576999647068414862149756",
            "length": 770.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
        "deprecated": false,
        "target": {
            "function": "_unZip",
            "file": "sources/src/main/java/efw/file/FileManager.java"
        }
    },
    {
        "id": "CVE-2026-44257-7fb72642",
        "digest": {
            "line_hashes": [
                "320618671861691365479427930972051615616",
                "29931663741834178740867015509311538954",
                "5706814863982540716980096647785502797",
                "230437415562700145515869012476482302917"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
        "deprecated": false,
        "target": {
            "file": "sources/src/main/javax/efw/file/previewServlet.java"
        }
    },
    {
        "id": "CVE-2026-44257-885204e3",
        "digest": {
            "line_hashes": [
                "320618671861691365479427930972051615616",
                "29931663741834178740867015509311538954",
                "5706814863982540716980096647785502797",
                "230437415562700145515869012476482302917"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
        "deprecated": false,
        "target": {
            "file": "sources/src/main/jakarta/efw/file/previewServlet.java"
        }
    },
    {
        "id": "CVE-2026-44257-8e6e73e4",
        "digest": {
            "line_hashes": [
                "255293627626295300523719658593615290738",
                "305620081116172530822839982195675158587",
                "54211879183095802333488089542858066256"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
        "deprecated": false,
        "target": {
            "file": "sources/src/main/java/efw/file/FileManager.java"
        }
    }
]