CVE-2026-44260

HIGH 8.1

efw4.X: readonly Flag Not Enforced Server-Side

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

8th

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. When protected=true, elfinder_checkRisk enforces that the client sends readonly=true (matching the session value), but no event handler checks the readonly value before performing write operations. The flag only controls client-side UI elements (disabling buttons) and response metadata (write: 0, locked: 1). An attacker who sends requests directly (bypassing the UI) can perform all file operations despite readonly=true. This vulnerability is fixed in 4.08.010.

CWE	CWE-863
Vendor	efwgrp
Product	efw4.x
Published	May 12, 2026
Last Updated	May 13, 2026

Stay Ahead of the Next One

Get instant alerts for efwgrp efw4.x

Be the first to know when new high vulnerabilities affecting efwgrp efw4.x are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

efwGrp / efw4.X

< 4.08.010

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/efwGrp/efw4.X/security/advisories/GHSA-5454-qhrf-vcvh