CVE-2026-11470 - Vulnerability Details

- hs-web hsweb-framework File Upload FileUploadProperties.java denied path traversal

Description

A vulnerability has been found in hs-web hsweb-framework up to 5.0.1. The affected element is the function denied of the file hsweb-system/hsweb-system-file/src/main/java/org/hswebframework/web/file/FileUploadProperties.java of the component File Upload. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 8009845b577d8a2c4bbf4fdd8e8913799a714be6. It is suggested to install a patch to address this issue.

Published: 2026-06-08

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A path traversal flaw exists in the denied method of FileUploadProperties.java in hsweb-framework, allowing a crafted filename argument to reference files outside the intended upload directory. By supplying a filename that contains path traversal characters, an attacker can read arbitrary files on the server where the framework is running. This can expose sensitive configuration files, code, or other secrets. The vulnerability is triggered remotely via the web interface that accepts file uploads.

Affected Systems

The flaw affects the hs-web hsweb-framework product, all releases up to and including 5.0.1. Organizations deploying these versions should verify the installed version and determine whether an update or patch can be applied.

Risk and Exploitability

CVSS score 5.3 indicates medium severity. No EPSS score is available, and the vulnerability is not currently listed in CISA’s KEV catalog. Attackers can exploit the flaw over the network by submitting a malicious file upload via the application’s web interface; the description explicitly states the attack is possible remotely. While the flaw does not grant arbitrary code execution, it allows unauthorized read of files, which can aid further attacks. Given the medium CVSS score and lack of mitigating controls mentioned, the risk is moderate but should prompt prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

hs-web

hsweb-framework

affected

Version	Status	Constraints
`5.0.0`	affected	—
`5.0.1`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the patch identified by commit 8009845b577d8a2c4bbf4fdd8e8913799a714be6 or upgrade to a hsweb-framework release newer than 5.0.1.
Configure the File Upload component to reject filenames containing ".." or absolute path patterns.
Validate and whitelist only allowed file extensions and restrict upload directories to known safe paths.

Generated by OpenCVE AI on June 8, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00074.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/hs-web/hsweb-framework/
https://github.com/hs-web/hsweb-framework/commit/8009845b577d8a2c4bbf4fdd8e8913799a714be6
https://github.com/hs-web/hsweb-framework/issues/344
https://github.com/hs-web/hsweb-framework/issues/344#issuecomment-3798035002
https://vuldb.com/cve/CVE-2026-11470
https://vuldb.com/submit/833856
https://vuldb.com/vuln/369090
https://vuldb.com/vuln/369090/cti

History

Mon, 08 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 08 Jun 2026 01:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in hs-web hsweb-framework up to 5.0.1. The affected element is the function denied of the file hsweb-system/hsweb-system-file/src/main/java/org/hswebframework/web/file/FileUploadProperties.java of the component File Upload. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 8009845b577d8a2c4bbf4fdd8e8913799a714be6. It is suggested to install a patch to address this issue.
Title		hs-web hsweb-framework File Upload FileUploadProperties.java denied path traversal
First Time appeared		Hs-web Hs-web hsweb-framework
Weaknesses		CWE-22
CPEs		cpe:2.3:a:hs-web:hsweb-framework::::::::
Vendors & Products		Hs-web Hs-web hsweb-framework
References		https://github.com/hs-web/hsweb-framework/ https://github.com/hs-web/hsweb-framework/commit/8009845b577d8a2c4bbf4fdd8e8913799a714be6 https://github.com/hs-web/hsweb-framework/issues/344 https://github.com/hs-web/hsweb-framework/issues/344#issuecomment-3798035002 https://vuldb.com/cve/CVE-2026-11470 https://vuldb.com/submit/833856 https://vuldb.com/vuln/369090 https://vuldb.com/vuln/369090/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Hs-web Hsweb-framework

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-08T00:00:16.276Z

Updated: 2026-06-08T13:03:33.387Z

Reserved: 2026-06-07T09:29:57.116Z

Link: CVE-2026-11470

Vulnrichment

Updated: 2026-06-08T13:03:29.856Z

NVD

Status : Deferred

Published: 2026-06-08T01:16:22.433

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11470

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-08T02:30:13Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object