File Management Issue in efw4.X by efwGrp Affects Tomcat Users
CVE-2026-44257

9.3CRITICAL

Key Information:

Vendor: Efwgrp
Status: Efw4.x
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-44257?

The Enterprise Framework for Web (efw4.X) has a vulnerability in the file management system that allows a remote attacker to exploit the unzipping functionality. Prior to version 4.08.010, the framework's 'unZip' method does not properly validate the zip entry paths, enabling attackers to use malicious entry names like '../../../pwned.jsp'. This could lead to unauthorized files being written to locations where the Tomcat process has access, potentially allowing the attacker to upload a JSP webshell and execute arbitrary commands with Tomcat's privileges. This serious flaw is mitigated in the latest version 4.08.010.

Affected Version(s)

efw4.X < 4.08.010

References

https://github.com/efwGrp/efw4.X/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44257 Data

JSON

Efwgrp

What is CVE-2026-44257?

Affected Version(s)

References

CVSS V4

Timeline