CVE-2026-44259

Name of the Vulnerable Software and Affected Versions efw4.X versions prior to 4.08.010

Description The 'previewServlet' serves files using detected MIME types based on file extensions without applying security headers or content sanitization. Files with extensions such as .html, .htm, or .svg are served as 'text/html' or 'image/svg+xml', which allows embedded JavaScript to execute in the user's browser within the application's origin.

Recommendations Update to version 4.08.010.