Description
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.
Published: 2026-05-12
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from efw4.X’s unZip method which writes extracted files directly to disk using the raw zip entry names. The flaw is a classic directory traversal vulnerability (CWE-77). A crafted entry such as '../../../pwned.jsp' allows the file to be created outside the intended extraction folder, including inside the web application’s context root. When this flaw is combined with the framework’s uploadServlet, which triggers file.saveUploadFiles followed by unZip, a remote attacker who can upload a file—even without authentication—can drop a malicious JSP webshell into the Tomcat webapps directory and execute arbitrary commands with the Tomcat process’s privileges.

Affected Systems

efwGrp efw4.X versions prior to 4.08.010 are affected. The issue is fixed in 4.08.010 and later releases.

Risk and Exploitability

The CVSS score of 9.3 marks this as critical. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of authentication on the upload endpoint and the ability to write executable content make exploitation highly likely once an attacker can reach the endpoint. Attackers can achieve full control of the host as the Tomcat user.

Generated by OpenCVE AI on May 12, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade efw4.X to version 4.08.010 or later, which adds canonical‑path checks to prevent zip slip.
  • If an upgrade is not immediately possible, restrict the uploadServlet so that only authenticated users can submit files and validate that all extracted paths are confined to the intended directory.
  • Temporarily configure Tomcat to deny write access or JSP execution in the webapps directory for untrusted uploads, thereby limiting the attacker’s ability to deploy a webshell.

Generated by OpenCVE AI on May 12, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.
Title efw4.X: RCE via zipslip
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T21:06:42.018Z

Reserved: 2026-05-05T16:33:55.844Z

Link: CVE-2026-44257

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:35.840

Modified: 2026-05-12T22:16:35.840

Link: CVE-2026-44257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:30:26Z

Weaknesses