Path Traversal Vulnerability in Lhaz and Lhaz+ by Chitora Soft
CVE-2026-41530

4.6MEDIUM

Key Information:

Vendor: Chitora Soft
Status: Lhaz; Lhaz+
Vendor: CVE Published:; 12 May 2026

🔔 Create Chitora Soft Vulnerability Alert

What is CVE-2026-41530?

The automatic folder creation functionality of Lhaz and Lhaz+ by Chitora Soft is vulnerable to a path traversal issue. When users extract archive files with specially crafted filenames while this feature is enabled, the files may be extracted into unintended directories, potentially leading to unauthorized access or overwriting of critical files.

Affected Version(s)

Lhaz 2.6.3 and earlier

Lhaz+ 3.6.3 and earlier

References

https://www.chitora.com/jvn68350834.html

https://jvn.jp/en/jp/JVN68350834/

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

CVSS V3.0

Score:

3.3

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 21, 2026

CVE-2026-41530 Data

JSON