CRITICAL
efwGrp
CVE published 2026-05-12
CVE-2026-44257
efw4.X Enterprise Framework for Web contains a critical path traversal vulnerability in its file extraction functionality. The `efw.file.FileManager.unZip` method prior to version 4.08.010 constructs file paths using `new File(baseDir, zipEntry.getName())` without canonical path validation. This allows malicious zip entries containing directory traversal sequences (e.g., `../../../pwned.jsp`) to escape th [truncated]