CVE-2026-44258

Source
https://cve.org/CVERecord?id=CVE-2026-44258
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44258.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44258
Aliases
  • GHSA-9g5w-qw96-jr3x
Published
2026-05-12T21:05:06.569Z
Modified
2026-07-08T08:13:30.136312022Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
efw4.X: Path Traversal via Unchecked dst Parameter leads to Remote Code Execution
Details

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfindercheckRisk function validates target and targets for path traversal and home containment, but does not validate the dst (destination) parameter used by elfinderpaste. An attacker can copy or move files from within the home directory to any arbitrary destination by setting dst to a base64-encoded traversal path. This bypasses the protected=true security control. This vulnerability is fixed in 4.08.010.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44258.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/efwgrp/efw4.x

Affected ranges

Type
GIT
Repo
https://github.com/efwgrp/efw4.x
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.08.010"
        }
    ]
}

Affected versions

4.*
4.07.015
Other
test
v.*
v.4.07.023
v.4.07.026
v.4.07.027
v4.*
v4.06.016
v4.07.000
v4.07.006
v4.07.007
v4.07.008
v4.07.009
v4.07.016
v4.07.017
v4.07.018
v4.07.019
v4.07.020
v4.07.021
v4.07.022
v4.07.024
v4.07.025
v4.07.028
v4.07.029
v4.07.030
v4.07.031
v4.08.000
v4.08.001
v4.08.002
v4.08.003
v4.08.004
v4.08.005
v4.08.006
v4.08.007
v4.08.008
v4.08.009

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44258.json"