VYPR
Vendor

EfwGrp

Products
1
CVEs
3
Across products
3
Status
Private

Products

1

Recent CVEs

3
  • CVE-2026-44258CriMay 12, 2026
    risk 0.60cvss epss 0.00

    efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does not validate the dst (destination) parameter used by elfinder_paste. An attacker can copy or move files…

  • CVE-2026-44257CriMay 12, 2026
    risk 0.60cvss epss 0.00

    efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and…

  • CVE-2026-44259MedMay 12, 2026
    risk 0.30cvss 4.6epss 0.00

    efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any content sanitization or security headers. Files with .html, .htm, or .svg extensions are served as text/html or…