CVE-2026-44257
CriticalSummary
In efw4.X prior to version 4.08.010, the efw.file.FileManager.unZip method did not check the canonical path when writing zip entries to disk, allowing for directory traversal. An attacker could exploit this vulnerability to drop a malicious JSP file and execute arbitrary commands as the Tomcat user.
Risk Assessment
The organization is exposed to remote attacks that could lead to server compromise, resulting in serious implications for data security and infrastructure.
Recommendation
It is recommended to upgrade to version 4.08.010 or later to mitigate this vulnerability and conduct a security audit of the application.
Original NVD description (English source)
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.

