Description
The automatic folder creation feature of Lhaz and Lhaz+ provided by Chitora soft contains a path traversal vulnerability. When the affected product is configured with the automatic folder creation feature enabled, and a product user tries to extract an archive file which has a crafted file name, then the archived files may be extracted to an unexpected folder.
Published: 2026-05-12
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an uncontrolled path traversal in the automatic folder creation feature of Lhaz and Lhaz+. When a user extracts an archive that contains a crafted filename, the files are written to directories outside the intended extraction path. This flaw can allow a user to overwrite arbitrary files or place files in privileged locations, thereby compromising the integrity of the system. The weakness is classified as CWE‑22.

Affected Systems

The affected products are Chitora soft’s Lhaz and Lhaz+. Version information is not specified in the advisory; all releases that enable the automatic folder creation setting are potentially vulnerable.

Risk and Exploitability

The CVSS score is 4.6, indicating a moderate risk. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely local, as a user who can trigger archive extraction with crafted file names can exploit the flaw. If the user has sufficient privileges to write to protected directories, the impact could be more severe, potentially allowing privilege escalation or system compromise. In the absence of known public exploits, the risk remains moderate until a patch is released.

Generated by OpenCVE AI on May 12, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patch for Lhaz and Lhaz+ when it becomes available.
  • If a patch is not yet released, temporarily disable the automatic folder creation feature to eliminate the path traversal entry point.
  • Implement validation of archive filenames and restrict extraction to a safe, predetermined directory to prevent unintended file placement.

Generated by OpenCVE AI on May 12, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Chitora
Chitora lhaz
Vendors & Products Chitora
Chitora lhaz

Tue, 12 May 2026 07:15:00 +0000

Type Values Removed Values Added
Title Automatic Folder Creation Path Traversal in Lhaz and Lhaz+

Tue, 12 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description The automatic folder creation feature of Lhaz and Lhaz+ provided by Chitora soft contains a path traversal vulnerability. When the affected product is configured with the automatic folder creation feature enabled, and a product user tries to extract an archive file which has a crafted file name, then the archived files may be extracted to an unexpected folder.
Weaknesses CWE-22
References
Metrics cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Chitora Lhaz
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-05-12T13:18:08.982Z

Reserved: 2026-04-21T00:48:03.452Z

Link: CVE-2026-41530

cve-icon Vulnrichment

Updated: 2026-05-12T13:18:03.500Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T06:16:09.073

Modified: 2026-05-12T15:10:27.993

Link: CVE-2026-41530

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T08:45:11Z

Weaknesses