216.73.217.64

CVE-2026-44258

· Published 12/05/2026 22:16 · Modified 13/05/2026 16:10

Labels: CVE-2026-44258 2026-05-12CVE-2026-44258CWE-78[email protected]

Essential information

Published
12/05/2026 22:16
Modified
13/05/2026 16:10
Author
Creator
CVSS
9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does not validate the dst (destination) parameter used by elfinder_paste. An attacker can copy or move files from within the home directory to any arbitrary destination by setting dst to a base64-encoded traversal path. This bypasses the protected=true security control. This vulnerability is fixed in 4.08.010.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
efw4 / enterprise framework for web cpe:2.3:a:efw4:enterprise_framework_for_web:<4.08.010:*:*:*:*:*:*:*
efw4 / enterprise framework for web cpe:2.3:a:efw4:enterprise_framework_for_web:4.08.010:*:*:*:*:*:*:*

References