efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44257.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-77"
]
}"2026-07-11T04:41:39Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44257.json"
[
{
"id": "CVE-2026-44257-097fd364",
"digest": {
"function_hash": "89782526106010754331986047016442052871",
"length": 1870.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
"deprecated": false,
"target": {
"function": "doGet",
"file": "sources/src/main/javax/efw/file/previewServlet.java"
}
},
{
"id": "CVE-2026-44257-202748c3",
"digest": {
"function_hash": "89782526106010754331986047016442052871",
"length": 1870.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
"deprecated": false,
"target": {
"function": "doGet",
"file": "sources/src/main/jakarta/efw/file/previewServlet.java"
}
},
{
"id": "CVE-2026-44257-37d188e8",
"digest": {
"function_hash": "195264860270728576999647068414862149756",
"length": 770.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
"deprecated": false,
"target": {
"function": "_unZip",
"file": "sources/src/main/java/efw/file/FileManager.java"
}
},
{
"id": "CVE-2026-44257-7fb72642",
"digest": {
"line_hashes": [
"320618671861691365479427930972051615616",
"29931663741834178740867015509311538954",
"5706814863982540716980096647785502797",
"230437415562700145515869012476482302917"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
"deprecated": false,
"target": {
"file": "sources/src/main/javax/efw/file/previewServlet.java"
}
},
{
"id": "CVE-2026-44257-885204e3",
"digest": {
"line_hashes": [
"320618671861691365479427930972051615616",
"29931663741834178740867015509311538954",
"5706814863982540716980096647785502797",
"230437415562700145515869012476482302917"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
"deprecated": false,
"target": {
"file": "sources/src/main/jakarta/efw/file/previewServlet.java"
}
},
{
"id": "CVE-2026-44257-8e6e73e4",
"digest": {
"line_hashes": [
"255293627626295300523719658593615290738",
"305620081116172530822839982195675158587",
"54211879183095802333488089542858066256"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
"deprecated": false,
"target": {
"file": "sources/src/main/java/efw/file/FileManager.java"
}
}
]