CVE-2026-44258

Name of the Vulnerable Software and Affected Versions efw4.X versions prior to 4.08.010

Description The elfinder checkRisk() function validates target and targets for path traversal and home containment but fails to validate the dst parameter used by elfinder paste. This allows an attacker to copy or move files from the home directory to an arbitrary destination by using a base64-encoded traversal path, bypassing the protected=true security control. Path traversal is a technique used to access files and directories that are stored outside the web root folder.

Recommendations Update to version 4.08.010.