Description
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does not validate the dst (destination) parameter used by elfinder_paste. An attacker can copy or move files from within the home directory to any arbitrary destination by setting dst to a base64-encoded traversal path. This bypasses the protected=true security control. This vulnerability is fixed in 4.08.010.
Published: 2026-05-12
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the elfinder_paste functionality of efw4.X. Before version 4.08.010 the elfinder_checkRisk routine filters path traversal on the target parameter but ignores the dst (destination) value. An attacker can supply a base64‑encoded traversal string as dst, causing the application to copy or move files from the protected home directory to an arbitrary location on the server. This bypasses the protected=true security check, giving the attacker write access to files that can be leveraged for remote code execution. The weakness is classified as CWE‑78.

Affected Systems

efwGrp’s efw4.X web framework versions earlier than 4.08.010 are vulnerable. The issue is present from the initial release through 4.08.009; the advisory specifies that the 4.08.010 release contains the fix. Systems running any of these versions should be considered at risk until upgraded.

Risk and Exploitability

The CVSS score of 9.3 marks the flaw as critical, and although the EPSS score is unavailable, the lack of KEV listing today does not reduce the practical risk. Based on the description it is inferred that the attacker can trigger the vulnerability via the web interface; an unauthenticated or authenticated user with access to the elfinder_paste endpoint could exploit it remotely. The exploitation path requires only the ability to send a crafted request to elfinder_paste with a base64‑encoded dst parameter, making it relatively straightforward to automate once the endpoint is discovered.

Generated by OpenCVE AI on May 12, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade efw4.X to version 4.08.010 or later to apply the vendor fix.
  • If upgrading is delayed, restrict network access to the elfinder_paste endpoint to trusted IP addresses or enforce authentication before allowing paste operations.
  • Disable the paste feature entirely until the update is in place or ensure the dst parameter is validated against traversal patterns.

Generated by OpenCVE AI on May 12, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does not validate the dst (destination) parameter used by elfinder_paste. An attacker can copy or move files from within the home directory to any arbitrary destination by setting dst to a base64-encoded traversal path. This bypasses the protected=true security control. This vulnerability is fixed in 4.08.010.
Title efw4.X: Path Traversal via Unchecked dst Parameter leads to Remote Code Execution
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T21:05:06.569Z

Reserved: 2026-05-05T16:33:55.844Z

Link: CVE-2026-44258

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:36.127

Modified: 2026-05-12T22:16:36.127

Link: CVE-2026-44258

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:45:15Z

Weaknesses