CVE-2026-44258
efw4.X: Path Traversal via Unchecked dst Parameter leads to Remote Code Execution
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does not validate the dst (destination) parameter used by elfinder_paste. An attacker can copy or move files from within the home directory to any arbitrary destination by setting dst to a base64-encoded traversal path. This bypasses the protected=true security control. This vulnerability is fixed in 4.08.010.
| CWE | CWE-78 |
| Vendor | efwgrp |
| Product | efw4.x |
| Published | May 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for efwgrp efw4.x
Be the first to know when new unknown vulnerabilities affecting efwgrp efw4.x are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
efwGrp / efw4.X
< 4.08.010