CVE-2026-41530

Vulnerability

Overview

Lhaz and Lhaz+ are archive extraction utilities provided by Chitora soft. When the automatic folder creation feature is enabled, the software normally creates a folder named after the archive file and extracts contents into it. However, due to improper handling of crafted archive file names, the folder creation may be bypassed, causing files to be extracted to the parent directory instead of the intended subfolder [1][2]. This is classified as a path traversal vulnerability (CWE-22).

Exploitation

Conditions

Exploitation requires the user to have the automatic folder creation feature enabled and to extract a specially crafted archive file. The attack is local and requires user interaction (e.g., double-clicking the archive). No authentication is needed, but the user must be tricked into extracting a malicious archive. The CVSS v3 base score is 3.3 (Low), reflecting the need for user interaction and the limited scope of impact [2].

Impact

If exploited, an attacker could write files to an unexpected folder, potentially higher-privilege directory (e.g., the user's startup folder or system directories). This could lead to arbitrary code execution with the user's privileges, enabling installation of malware, data modification, or deletion [1][2]. The impact is limited to the user's session and does not directly compromise other users or system-level integrity.

Mitigation

The developer has released patched versions: Lhaz 2.6.4 and Lhaz+ 3.6.4. Users should update to these versions immediately. No workaround is no workaround other workaround is available; disabling the automatic folder creation feature may reduce risk but may not fully prevent exploitation [1][2].