Path Traversal Vulnerability in efw4.X Enterprise Framework
CVE-2026-44258

9.3CRITICAL

Key Information:

Vendor: Efwgrp
Status: Efw4.x
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-44258?

The efw4.X Enterprise Framework allows for unauthorized file access due to insufficient validation of the destination parameter in its elfinder_paste function. This vulnerability enables attackers to copy or move files from the home directory to any arbitrary location by exploiting a base64-encoded traversal path, bypassing security controls. It is crucial for users to update to version 4.08.010 or newer to safeguard against this threat.

Affected Version(s)

efw4.X < 4.08.010

References

https://github.com/efwGrp/efw4.X/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44258 Data

JSON

Efwgrp

What is CVE-2026-44258?

Affected Version(s)

References

CVSS V4

Timeline