efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. When protected=true, elfinder_checkRisk enforces that the client sends readonly=true (matching the session value), but no event handler checks the readonly value before performing write operations. The flag only controls client-side UI elements (disabling buttons) and response metadata (write: 0, locked: 1). An attacker who sends requests directly (bypassing the UI) can perform all file operations despite readonly=true. This vulnerability is fixed in 4.08.010.
{
"cwe_ids": [
"CWE-863"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44260.json",
"cna_assigner": "GitHub_M"
}[
{
"source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "89782526106010754331986047016442052871",
"length": 1870.0
},
"deprecated": false,
"id": "CVE-2026-44260-097fd364",
"target": {
"function": "doGet",
"file": "sources/src/main/javax/efw/file/previewServlet.java"
}
},
{
"source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "89782526106010754331986047016442052871",
"length": 1870.0
},
"deprecated": false,
"id": "CVE-2026-44260-202748c3",
"target": {
"function": "doGet",
"file": "sources/src/main/jakarta/efw/file/previewServlet.java"
}
},
{
"source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "195264860270728576999647068414862149756",
"length": 770.0
},
"deprecated": false,
"id": "CVE-2026-44260-37d188e8",
"target": {
"function": "_unZip",
"file": "sources/src/main/java/efw/file/FileManager.java"
}
},
{
"source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"320618671861691365479427930972051615616",
"29931663741834178740867015509311538954",
"5706814863982540716980096647785502797",
"230437415562700145515869012476482302917"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-44260-7fb72642",
"target": {
"file": "sources/src/main/javax/efw/file/previewServlet.java"
}
},
{
"source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"320618671861691365479427930972051615616",
"29931663741834178740867015509311538954",
"5706814863982540716980096647785502797",
"230437415562700145515869012476482302917"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-44260-885204e3",
"target": {
"file": "sources/src/main/jakarta/efw/file/previewServlet.java"
}
},
{
"source": "https://github.com/efwgrp/efw4.x/commit/fe952e6879803c0cc0ff06a565e9d942f12d4fc8",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"255293627626295300523719658593615290738",
"305620081116172530822839982195675158587",
"54211879183095802333488089542858066256"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-44260-8e6e73e4",
"target": {
"file": "sources/src/main/java/efw/file/FileManager.java"
}
}
]
"2026-07-16T00:24:38Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44260.json"