CVE-2026-44257

UNKNOWN 0.0

efw4.X: RCE via zipslip

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.

CWE	CWE-77
Vendor	efwgrp
Product	efw4.x
Published	May 12, 2026

Stay Ahead of the Next One

Get instant alerts for efwgrp efw4.x

Be the first to know when new unknown vulnerabilities affecting efwgrp efw4.x are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

efwGrp / efw4.X

< 4.08.010

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/efwGrp/efw4.X/security/advisories/GHSA-q7jx-7x5r-r9f6