CVE-2026-44257

Name of the Vulnerable Software and Affected Versions efw4.X versions prior to 4.08.010

Description The unZip function in efw.file.FileManager writes zip entries to disk using new File(baseDir, zipEntry.getName()) without performing a canonical-path check. This allows an attacker to use entry names containing path traversal sequences, such as ../../../pwned.jsp, to escape the intended extraction directory and write files to any location accessible by the Tomcat process, including the servlet context root. When combined with the /uploadServlet multipart endpoint and an event that triggers file.saveUploadFiles and FileManager.unZip, an unauthenticated remote attacker can upload a JSP webshell to execute arbitrary commands with the privileges of the Tomcat user.

Recommendations Update to version 4.08.010.