Vulnerability Description
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.
Related Weaknesses (CWE)
References
- https://github.com/efwGrp/efw4.X/security/advisories/GHSA-q7jx-7x5r-r9f6
- https://github.com/efwGrp/efw4.X/security/advisories/GHSA-q7jx-7x5r-r9f6
FAQ
What is CVE-2026-44257?
CVE-2026-44257 is a documented vulnerability. efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry n...
How severe is CVE-2026-44257?
CVSS scoring is not yet available for CVE-2026-44257. Check NVD for updates.
Is there a patch for CVE-2026-44257?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.