PatchSiren cyber security CVE debrief
CVE-2026-11470 hs-web CVE debrief
A path traversal vulnerability has been discovered in hsweb-framework, affecting versions up to 5.0.1. The vulnerability is located in the `denied` function of the `FileUploadProperties.java` file, where an attacker can manipulate the `filename` argument to traverse the file system. The vulnerability can be exploited remotely and has been publicly disclosed.
- Vendor
- hs-web
- Product
- hsweb-framework
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-08
Who should care
Users of hsweb-framework up to version 5.0.1 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by improper handling of the `filename` argument in the `denied` function of `FileUploadProperties.java`. This allows an attacker to traverse the file system by manipulating the `filename` argument.
Defensive priority
Low
Recommended defensive actions
- Apply the patch with identifier 8009845b577d8a2c4bbf4fdd8e8913799a714be6 to address this issue.
- Refer to [ref-5] for patch details.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide additional information about this vulnerability.
Official resources
CVE-2026-11470 was published on 2026-06-08T01:16:22.433Z and modified on 2026-06-08T14:57:14.757Z.