VYPR

Efw4.x

by EfwGrp

Source repositories

CVEs (3)

  • CVE-2026-44258CriMay 12, 2026
    risk 0.60cvss epss 0.00

    efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does not validate the dst (destination) parameter used by elfinder_paste. An attacker can copy or move files…

  • CVE-2026-44257CriMay 12, 2026
    risk 0.60cvss epss 0.00

    efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and…

  • CVE-2026-44259MedMay 12, 2026
    risk 0.30cvss 4.6epss 0.00

    efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any content sanitization or security headers. Files with .html, .htm, or .svg extensions are served as text/html or…