CVE-2026-44257: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in efwGrp efw4.X
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.
AI Analysis
Technical Summary
efw4.X prior to version 4.08.010 contains a command injection vulnerability (CWE-77) due to improper neutralization of special elements in file paths during zip extraction. The FileManager.unZip method does not perform canonical path checks when writing zip entries to disk, enabling path traversal attacks. An attacker can upload a crafted zip file with entries named to escape the extraction directory and place malicious JSP files in locations writable by the Tomcat process, such as the servlet context root. This can be exploited remotely without authentication via the framework's multipart upload servlet combined with an event that calls file.saveUploadFiles and FileManager.unZip, resulting in arbitrary command execution as the Tomcat user. The vulnerability is resolved in efw4.X version 4.08.010.
Potential Impact
Successful exploitation allows remote unauthenticated attackers to upload a JSP webshell and execute arbitrary commands with the privileges of the Tomcat process. This can lead to full system compromise of the affected server. The vulnerability has a CVSS 4.0 score of 9.3, reflecting its critical impact on confidentiality, integrity, and availability.
Mitigation Recommendations
The vulnerability is fixed in efw4.X version 4.08.010. Users should upgrade to this version or later to remediate the issue. No official patch link or vendor advisory is provided, so verify patch availability and installation guidance from the vendor or official sources. Until patched, restrict access to the upload servlet if possible and monitor for suspicious file uploads, but note that no temporary or official fixes are documented in the provided data.
CVE-2026-44257: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in efwGrp efw4.X
Description
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
efw4.X prior to version 4.08.010 contains a command injection vulnerability (CWE-77) due to improper neutralization of special elements in file paths during zip extraction. The FileManager.unZip method does not perform canonical path checks when writing zip entries to disk, enabling path traversal attacks. An attacker can upload a crafted zip file with entries named to escape the extraction directory and place malicious JSP files in locations writable by the Tomcat process, such as the servlet context root. This can be exploited remotely without authentication via the framework's multipart upload servlet combined with an event that calls file.saveUploadFiles and FileManager.unZip, resulting in arbitrary command execution as the Tomcat user. The vulnerability is resolved in efw4.X version 4.08.010.
Potential Impact
Successful exploitation allows remote unauthenticated attackers to upload a JSP webshell and execute arbitrary commands with the privileges of the Tomcat process. This can lead to full system compromise of the affected server. The vulnerability has a CVSS 4.0 score of 9.3, reflecting its critical impact on confidentiality, integrity, and availability.
Mitigation Recommendations
The vulnerability is fixed in efw4.X version 4.08.010. Users should upgrade to this version or later to remediate the issue. No official patch link or vendor advisory is provided, so verify patch availability and installation guidance from the vendor or official sources. Until patched, restrict access to the upload servlet if possible and monitor for suspicious file uploads, but note that no temporary or official fixes are documented in the provided data.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T16:33:55.844Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0399d6cbff5d86101a8915
Added to database: 5/12/2026, 9:21:26 PM
Last enriched: 5/12/2026, 9:37:14 PM
Last updated: 5/13/2026, 4:52:22 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.